from:"Hasintha Indrajee"

On Fri, Feb 2, 2018 at 8:00 AM, Isura Karunaratne <is...@wso2.com> wrote:

>
>
> On Thu, Feb 1, 2018 at 1:41 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Eventing is more asynchronous. We may need synchronous processing for
>> this. Also we need to control the flow of these handlers depending on the
>> state of the handler. ex - we may need to do few redirections within a
>> handler in order to proceed (eg - missing mandatory claim handler.). Hence
>> I think it's better to go with a specific interface than our handler
>> architecture.
>>
>
> Eventing can be synchronous as well. Since we need to handle redirections
> +1 to go with a specfic interface design.
>
Our current eventing framework does not have synchronous support AFAIK

>
> Thanks
> Isura.
>
>>
>> On Thu, Feb 1, 2018 at 1:36 PM, Malithi Edirisinghe <malit...@wso2.com>
>> wrote:
>>
>>> Hi Hasintha,
>>>
>>> Does this mean that you will be introducing another OSGi service
>>> interface for post authentication handlers.
>>> What about using the already available eventing service [1].
>>>
>>> [1] https://github.com/wso2/carbon-identity-framework/blob/m
>>> aster/components/identity-event/org.wso2.carbon.identity.
>>> event/src/main/java/org/wso2/carbon/identity/event/
>>> services/IdentityEventService.java
>>>
>>> Thanks,
>>> Malithi.
>>>
>>> On Thu, Feb 1, 2018 at 6:20 AM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> At the present we have post authentication criteria which are evaluated
>>>> upon authentication in an authentication flow. Examples are "Handling
>>>> missing mandatory claims" and "Authorization handling". According to the
>>>> current implementation these logics are bind towards our framework
>>>> implementation so that if we need to add a new post authentication
>>>> evaluation criteria, we do not have an alternative other than changing
>>>> framework source.
>>>>
>>>> With emerging requirements we may need to add more post authentication
>>>> criteria in the future. For an example, we may need to intercept post
>>>> authentication and request for consent on requested claims. Likewise there
>>>> may be other requirements to intercept post authentication flow.
>>>>
>>>> Foreseeing these requirements we are planing to generalize post
>>>> authentication handling so that post authentication handling will no longer
>>>> be a static part of framework. We should be able to add post authentication
>>>> handlers as OSGI services. Upon this change, missing mandatory claim
>>>> handler and authorization handler will be two OSGI post authentication
>>>> handlers.
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Malithi Edirisinghe*
>>> Associate Technical Lead
>>> WSO2 Inc.
>>>
>>> Mobile : +94 (0) 718176807
>>> malit...@wso2.com
>>>
>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Generalizing Post Authentictaion Handling in Authentictaion Framework.

Eventing is more asynchronous. We may need synchronous processing for this.
Also we need to control the flow of these handlers depending on the state
of the handler. ex - we may need to do few redirections within a handler in
order to proceed (eg - missing mandatory claim handler.). Hence I think
it's better to go with a specific interface than our handler architecture.

On Thu, Feb 1, 2018 at 1:36 PM, Malithi Edirisinghe <malit...@wso2.com>
wrote:

> Hi Hasintha,
>
> Does this mean that you will be introducing another OSGi service interface
> for post authentication handlers.
> What about using the already available eventing service [1].
>
> [1] https://github.com/wso2/carbon-identity-framework/
> blob/master/components/identity-event/org.wso2.carbon.identity.event/src/
> main/java/org/wso2/carbon/identity/event/services/
> IdentityEventService.java
>
> Thanks,
> Malithi.
>
> On Thu, Feb 1, 2018 at 6:20 AM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> At the present we have post authentication criteria which are evaluated
>> upon authentication in an authentication flow. Examples are "Handling
>> missing mandatory claims" and "Authorization handling". According to the
>> current implementation these logics are bind towards our framework
>> implementation so that if we need to add a new post authentication
>> evaluation criteria, we do not have an alternative other than changing
>> framework source.
>>
>> With emerging requirements we may need to add more post authentication
>> criteria in the future. For an example, we may need to intercept post
>> authentication and request for consent on requested claims. Likewise there
>> may be other requirements to intercept post authentication flow.
>>
>> Foreseeing these requirements we are planing to generalize post
>> authentication handling so that post authentication handling will no longer
>> be a static part of framework. We should be able to add post authentication
>> handlers as OSGI services. Upon this change, missing mandatory claim
>> handler and authorization handler will be two OSGI post authentication
>> handlers.
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Generalizing Post Authentictaion Handling in Authentictaion Framework.

At the present we have post authentication criteria which are evaluated
upon authentication in an authentication flow. Examples are "Handling
missing mandatory claims" and "Authorization handling". According to the
current implementation these logics are bind towards our framework
implementation so that if we need to add a new post authentication
evaluation criteria, we do not have an alternative other than changing
framework source.

With emerging requirements we may need to add more post authentication
criteria in the future. For an example, we may need to intercept post
authentication and request for consent on requested claims. Likewise there
may be other requirements to intercept post authentication flow.

Foreseeing these requirements we are planing to generalize post
authentication handling so that post authentication handling will no longer
be a static part of framework. We should be able to add post authentication
handlers as OSGI services. Upon this change, missing mandatory claim
handler and authorization handler will be two OSGI post authentication
handlers.

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Generalizing Post Authentictaion Handling in Authentictaion Framework.

On Thu, Feb 1, 2018 at 1:41 PM, Hasintha Indrajee <hasin...@wso2.com> wrote:

> Eventing is more asynchronous. We may need synchronous processing for
> this. Also we need to control the flow of these handlers depending on the
> state of the handler. ex - we may need to do few redirections within a
> handler in order to proceed (eg - missing mandatory claim handler.). Hence
> I think it's better to go with a specific interface than our handler
> architecture.
>

sorry. Meant to say "Hence I think it's better to go with a specific
interface than our eventing architecture.."

>
> On Thu, Feb 1, 2018 at 1:36 PM, Malithi Edirisinghe <malit...@wso2.com>
> wrote:
>
>> Hi Hasintha,
>>
>> Does this mean that you will be introducing another OSGi service
>> interface for post authentication handlers.
>> What about using the already available eventing service [1].
>>
>> [1] https://github.com/wso2/carbon-identity-framework/blob/
>> master/components/identity-event/org.wso2.carbon.
>> identity.event/src/main/java/org/wso2/carbon/identity/
>> event/services/IdentityEventService.java
>>
>> Thanks,
>> Malithi.
>>
>> On Thu, Feb 1, 2018 at 6:20 AM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> At the present we have post authentication criteria which are evaluated
>>> upon authentication in an authentication flow. Examples are "Handling
>>> missing mandatory claims" and "Authorization handling". According to the
>>> current implementation these logics are bind towards our framework
>>> implementation so that if we need to add a new post authentication
>>> evaluation criteria, we do not have an alternative other than changing
>>> framework source.
>>>
>>> With emerging requirements we may need to add more post authentication
>>> criteria in the future. For an example, we may need to intercept post
>>> authentication and request for consent on requested claims. Likewise there
>>> may be other requirements to intercept post authentication flow.
>>>
>>> Foreseeing these requirements we are planing to generalize post
>>> authentication handling so that post authentication handling will no longer
>>> be a static part of framework. We should be able to add post authentication
>>> handlers as OSGI services. Upon this change, missing mandatory claim
>>> handler and authorization handler will be two OSGI post authentication
>>> handlers.
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>
>>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453 <077%20189%202453>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.

2018-01-29 Thread Hasintha Indrajee

So that's because we don't have a proper way of reverting it back. Hence
isn't it better to not to write cookies until a proper access of an
application takes place for this scenario ?. In multi step scenario it's
true that there is an idp session, but still the user is not properly
logged in since one of the steps failed. Hence next time the next step will
be prompted which means he doesn't have a valid session.

The idea is if we can avoid writing cookies we can unify the post
authentication behaviours (missing mandatory claim handling, authorization,
etc)

On Mon, Jan 29, 2018 at 8:26 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:

> HI Hsintha,
>
> On Mon, Jan 29, 2018 at 8:19 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Multi-step authentication is a different case I think, We don't set
>> cookies in an intermediate state. What if we use "remember me" ? So the
>> cookie will be there even if we close the browswer. isn't it ?
>>
> Think of a authentication steps.
> step1 : Federated authenticator
> step2 : Local authenticator.
>
> Then in the step 1 federated authenticator will create a session where 2nd
> authentication files. So in the 2nd time also user will automatically
> redirect to the federated authenticator and authenticated then fails in 2nd
> case.
>
> -Ishara
>
>>
>> On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com>
>> wrote:
>>
>>> Hi Hasintha,
>>>
>>> Same can happen in multi-step authentication where a user successfully
>>> login wiht1st authenticator and fail in the 2nd case.
>>>
>>> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> We have the feature of enabling authorization for service provider [1].
>>>> Imagine a scenario where we login to an SP for the very first time and
>>>> authorization fails due to some violation of authorization policies. Even
>>>> if authorization fails we do set commonAuthId cookie in the response which
>>>> means the user has a valid SSO session from that point onwards.
>>>>
>>>> This can be seen in two perspectives.
>>>>
>>>> 1) The user is authenticated, but authorization fails, Hence we should
>>>> set the cookie for SSO irrespective of authorization decision.
>>>>
>>>> 2) But this may lead to an inconsistant state. Suppose this is the only
>>>> application the user is allowed to login. But due to some policy violation,
>>>> the first login fails. In a case of a shared computer this leads to a
>>>> deadlock where the user neither can't properly login nor proper logout. We
>>>> can use the workaround of calling commonAuthLogout=true. But this will not
>>>> do a proper logout. (logging out external idps). Hence in a shared computer
>>>> the user has no option.
>>>>
>>> I think in this case user should close the browser, then he won't get
>>> this issue. this is valid for the multi step authentication as well.
>>>
>>> -Ishara
>>>
>>>>
>>>> Hence I think we can avoid setting cookie until a user successfully
>>>> accesses at least a single application upon successful authentication and
>>>> authorization. So simply even if the user is authenticated for the very
>>>> first time, we will not set the cookie unless the user is authorized to
>>>> access that particular application. (This only applies to the very first
>>>> app the user is trying to login)
>>>>
>>>> WDYT ?
>>>>
>>>>
>>>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+C
>>>> ontrol+Policy+for+a+Service+Provider
>>>>
>>>>
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>>
>>>>
>>>
>>>
>>> --
>>> Ishara Karunarathna
>>> Technical Lead
>>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>>
>>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>>> +94717996791 <071%20799%206791>
>>>
>>>
>>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
> Ishara Karunarathna
> Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791 <071%20799%206791>
>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.

2018-01-29 Thread Hasintha Indrajee

Multi-step authentication is a different case I think, We don't set cookies
in an intermediate state. What if we use "remember me" ? So the cookie will
be there even if we close the browswer. isn't it ?

On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:

> Hi Hasintha,
>
> Same can happen in multi-step authentication where a user successfully
> login wiht1st authenticator and fail in the 2nd case.
>
> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> We have the feature of enabling authorization for service provider [1].
>> Imagine a scenario where we login to an SP for the very first time and
>> authorization fails due to some violation of authorization policies. Even
>> if authorization fails we do set commonAuthId cookie in the response which
>> means the user has a valid SSO session from that point onwards.
>>
>> This can be seen in two perspectives.
>>
>> 1) The user is authenticated, but authorization fails, Hence we should
>> set the cookie for SSO irrespective of authorization decision.
>>
>> 2) But this may lead to an inconsistant state. Suppose this is the only
>> application the user is allowed to login. But due to some policy violation,
>> the first login fails. In a case of a shared computer this leads to a
>> deadlock where the user neither can't properly login nor proper logout. We
>> can use the workaround of calling commonAuthLogout=true. But this will not
>> do a proper logout. (logging out external idps). Hence in a shared computer
>> the user has no option.
>>
> I think in this case user should close the browser, then he won't get this
> issue. this is valid for the multi step authentication as well.
>
> -Ishara
>
>>
>> Hence I think we can avoid setting cookie until a user successfully
>> accesses at least a single application upon successful authentication and
>> authorization. So simply even if the user is authenticated for the very
>> first time, we will not set the cookie unless the user is authorized to
>> access that particular application. (This only applies to the very first
>> app the user is trying to login)
>>
>> WDYT ?
>>
>>
>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+
>> Control+Policy+for+a+Service+Provider
>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
> Ishara Karunarathna
> Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791 <071%20799%206791>
>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Setting commonAuth Cookie even after failing authorization in a fresh login attempt.

2018-01-29 Thread Hasintha Indrajee

We have the feature of enabling authorization for service provider [1].
Imagine a scenario where we login to an SP for the very first time and
authorization fails due to some violation of authorization policies. Even
if authorization fails we do set commonAuthId cookie in the response which
means the user has a valid SSO session from that point onwards.

This can be seen in two perspectives.

1) The user is authenticated, but authorization fails, Hence we should set
the cookie for SSO irrespective of authorization decision.

2) But this may lead to an inconsistant state. Suppose this is the only
application the user is allowed to login. But due to some policy violation,
the first login fails. In a case of a shared computer this leads to a
deadlock where the user neither can't properly login nor proper logout. We
can use the workaround of calling commonAuthLogout=true. But this will not
do a proper logout. (logging out external idps). Hence in a shared computer
the user has no option.

Hence I think we can avoid setting cookie until a user successfully
accesses at least a single application upon successful authentication and
authorization. So simply even if the user is authenticated for the very
first time, we will not set the cookie unless the user is authorized to
access that particular application. (This only applies to the very first
app the user is trying to login)

WDYT ?

[1]
https://docs.wso2.com/display/IS530/Configuring+Access+Control+Policy+for+a+Service+Provider

--
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IAM] Defining Two Regex Patterns in User Store Configuration and Claim Configuration is Wrong

Roles at user store level and roles which we display in in role claim seems
bit different from the way we interpret them. The content we display in
role claim are processed. ex - we can have "/" character. So there seems to
be a difference in the content of two cases. Also the regex which we use in
claim should be a more generic one which will match all regexes in all user
stores configs. ie different user stores can have different regex values.

On Tue, Jan 23, 2018 at 10:47 AM, Johann Nallathamby <joh...@wso2.com>
wrote:

>
>
> On Tue, Jan 23, 2018 at 10:16 AM, Isura Karunaratne <is...@wso2.com>
> wrote:
>
>> Hi Johann,
>>
>>
>>
>> On Tue, Jan 23, 2018 at 8:07 AM, Johann Nallathamby <joh...@wso2.com>
>> wrote:
>>
>>> Hi IAM Team,
>>>
>>> We have two regex patterns for user names and role names.
>>>
>>> 1. In the userstore configuration as "UsernameJavaRegex" and
>>> "RolenameJavaRegex".
>>>
>>> 2. Similarly we have Regex property defined for claims and username -
>>> http://wso2.org/claim/username and role name -
>>> http://wso2.org/claims/role are claims as well.
>>>
>>
>>> Can we not have two places to define regex for these two claims? How
>>> come we don't need to define regex for other user attributes in the user
>>> store configuration? Why is username (and role name) special?
>>>
>>>
>> Also we have separate Javascript Regex properties for username and role
>>> name. Why don't we have the same for other attributes? If so can't we
>>> introduce that as another claim property to be consistent and easy to
>>> understand for users?
>>>
>>
>> RolenameJavaRegex is different from the regrex defined in
>> http://wso2.org/claims/role claim, bacause that claim is used to store
>> all the roles the perticular user is assigned. RolenameJavaRegex will be
>> applied to a single role.
>>
>> Ex. role calim value.  --> Internal/everyone,admin,Application/
>> travelocity.com
>>
>
> Hmm.. I don't think that could be a reason. Regex is defined for a single
> value of a singular or multi-valued attribute. I don't think there is a
> purpose to define a regex for the multi-valued string irrespective of how
> you store it.
>
>
>>
>> Thanks
>> Isura.
>>
>>
>>>
>>> Regards,
>>> Johann.
>>>
>>> --
>>>
>>> *Johann Dilantha Nallathamby*
>>> Senior Lead Solutions Engineer
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile: *+94 77 7776950*
>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
>>> <http://www.linkedin.com/in/johann-nallathamby>*
>>> Medium: *https://medium.com/@johann_nallathamby
>>> <https://medium.com/@johann_nallathamby>*
>>> Twitter: *@dj_nallaa*
>>>
>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Associate Technical Lead | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile: *+94 77 7776950*
> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
> <http://www.linkedin.com/in/johann-nallathamby>*
> Medium: *https://medium.com/@johann_nallathamby
> <https://medium.com/@johann_nallathamby>*
> Twitter: *@dj_nallaa*
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] OAuth2 Client Authentication Error Response when authorization header is malformed

On Mon, Jan 22, 2018 at 8:40 PM, Nilasini Thirunavukkarasu <
nilas...@wso2.com> wrote:

> Hi,
>
>
> Client password is just one of the client authentication methods and also
> client authentication can be extensible according to OAuth2. So why can't
> we say this as an unsupported authentication method?. According to the spec
> If it falls under unsupported authentication method then it will be an
> invalid client.
>

Sending out basic authorization header is one of the ways to authenticate.
Hence the client would expect to authenticate by sending out basic
authentication headers. Since we do support basic authentication it's not
correct to say unsupported authentication mechanism in my point of view.
Rather this is something wrong with the format.

>
> Please correct me if I'm wrong.
>
> Thanks,
> Nila.
>
> On Fri, Jan 19, 2018 at 3:43 PM, Pushpalanka Jayawardhana <la...@wso2.com>
> wrote:
>
>> Hi Hasintha,
>>
>> On Fri, Jan 19, 2018 at 3:32 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> WDYT about the $subject ? Below quoted the descriptions of two types of
>>> error codes from spec [1]. It looks like "invalid_request" is more
>>> appropriate here. Any thoughts ? . An example authorization header is
>>> Base64Encoded (randomString which doesn't have the format
>>> clientid:clientSecret format)
>>>
>>>
>>>  invalid_request
>>>The request is missing a required parameter, includes an
>>>unsupported parameter value (other than grant type),
>>>repeats a parameter, includes multiple credentials,
>>>utilizes more than one mechanism for authenticating the
>>>client, or is otherwise malformed.
>>>
>>>  invalid_client
>>>Client authentication failed (e.g., unknown client, no
>>>client authentication included, or unsupported
>>>authentication method).  The authorization server MAY
>>>return an HTTP 401 (Unauthorized) status code to indicate
>>>which HTTP authentication schemes are supported.  If the
>>>client attempted to authenticate via the "Authorization"
>>>request header field, the authorization server MUST
>>>respond with an HTTP 401 (Unauthorized) status code and
>>>include the "WWW-Authenticate" response header field
>>>matching the authentication scheme used by the client.
>>>
>>>
>> +1 for using 'invalid request' in this case, where client authentication
>> is happening with the method 'client password'.
>> We will have consider that other authentication mechanism can also be
>> available as per [2], which won't adhere this format of
>> 'Base64Encoded(clientid:clientSecret).
>>
>>
>>>
>>> [1] https://tools.ietf.org/html/rfc6749
>>>
>> [2] - https://tools.ietf.org/html/rfc6749#section-2.3
>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453 <077%20189%202453>
>>>
>>>
>>
>> Thanks,
>> --
>> Pushpalanka.
>> --
>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>> Mobile: +94779716248
>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/p
>> ushpalanka/ | Twitter: @pushpalanka
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Nilasini Thirunavukkarasu
> Software Engineer - WSO2
>
> Email : nilas...@wso2.com
> Mobile : +94775241823 <+94%2077%20524%201823>
> Web : http://wso2.com/
>
>
> <http://wso2.com/signature>
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] Personal information export API

In a federated user scenario, we neither have user information nor email
address of the user in a case if the user is not JIT. Hence we won't be
able to share consents with user in an offline method. But still for
federated users we need to maintain consents which we give out to SPs. We
can process this offline and store somewhere (consent info ready for
download). The way we share will depend. eg - For the users who have emails
we can send them through an email (as a download link). If not we can share
those information through another medium (eg - user profile at a later
login)

On Mon, Jan 22, 2018 at 5:40 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Hi Hasintha,
> We do not need to export anything we do not keep in our databases.
> Could you please explain further if we need to do anything extra for
> Federated case.
>
> Cheers,
> Ruwan
>
> On Mon, Jan 22, 2018 at 5:33 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Just a quick question. How are we going to cater consents for federated
>> user ? Having consent from 3rd party IDP to IS will not be enough AFAIU. If
>> we are sharing those information through an SP we need to maintain those
>> consents as well. WDYT ?
>>
>> In that case how can federated users download their consents ?
>>
>> On Mon, Jan 22, 2018 at 5:25 PM, Omindu Rathnaweera <omi...@wso2.com>
>> wrote:
>>
>>> Hi Maduranga,
>>>
>>> In the consent API we do not have the option to get multiple receipts,
>>> the API only returns a list of receipt IDs for a given search criteria. If
>>> you need to include receipt data of all the consent entries, you will have
>>> to iterate through all the consent IDs and fetch the individual receipts.
>>> Keep in mind that this will likely to generate a payload of a considerable
>>> size.
>>>
>>> Regards,
>>> Omindu.
>>>
>>>
>>> On Mon, Jan 22, 2018 at 5:12 PM, Maduranga Siriwardena <
>>> madura...@wso2.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> We are creating a REST API to export user information for IS 5.5.0.
>>>>
>>>> Swagger at [1] is the initial design of the API.
>>>>
>>>> In the initial phase we are allowing the data to be exported only by
>>>> the owner of the profile.
>>>>
>>>> At the moment we are planing to export basic user profile information
>>>> and the consents user has given. Response JSON has 2 parts in it.
>>>>
>>>>- basic: this part will have the users profile information (claims)
>>>>in wso2 dialect
>>>>- consents: this part will have an array of consents user has
>>>>provided to the Identity Server. Though in the swagger it is represented
>>>>with the ID of the consent receipt, the actual response will consist of 
>>>> the
>>>>whole consent receipt. (Refer mail thread [2] @
>>>>architect...@wso2.org for more information)
>>>>
>>>> Below is a sample JSON response.
>>>>
>>>> {
>>>>   "basic": {
>>>> "http://wso2.org/claims/userid": "92d6513e-f4ca-4438-b403-98380
>>>> 695ed08",
>>>> "http://wso2.org/claims/username": "maduranga",
>>>> "http://wso2.org/claims/givenname": "Maduranga",
>>>> "http://wso2.org/claims/lastname": "Siriwardena",
>>>> "http://wso2.org/claims/emailaddress": "madura...@wso2.com",
>>>> "http://wso2.org/claims/telephone": "+947
>>>> <+94%2071%20111%20>"
>>>>   },
>>>>   "consents": [
>>>> {
>>>>   "id": "bc53e7bd-013d-4020-b522-1915ada1f305"
>>>> }
>>>>   ]
>>>> }
>>>>
>>>> Do you have any suggestions for additional types of information to be
>>>> included in the response?
>>>>
>>>> [1] https://app.swaggerhub.com/apis/Maduranga/PersonalInform
>>>> ationExport/1.0.0
>>>> [2] Consent Management APIs for IS 5.5.0
>>>>
>>>> Thanks,
>>>>
>>>> --
>>>> Maduranga Siriwardena
>>>> Senior Software Engineer
>>>> WSO2 Inc; http://wso2.com/
>>>>
>>>> Email: madura...@wso2.com
>>>> Mobile: +94718990591 <+94%2071%20899%200591>
>>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>>> <https://madurangasiriwardena.wordpress.com/>*
>>>> <http://wso2.com/signature>
>>>>
>>>
>>>
>>>
>>> --
>>> Omindu Rathnaweera
>>> Senior Software Engineer, WSO2 Inc.
>>> Mobile: +94 771 197 211 <077%20119%207211>
>>>
>>> ___
>>> Architecture mailing list
>>> architect...@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] Personal information export API

Just a quick question. How are we going to cater consents for federated
user ? Having consent from 3rd party IDP to IS will not be enough AFAIU. If
we are sharing those information through an SP we need to maintain those
consents as well. WDYT ?

In that case how can federated users download their consents ?

On Mon, Jan 22, 2018 at 5:25 PM, Omindu Rathnaweera <omi...@wso2.com> wrote:

> Hi Maduranga,
>
> In the consent API we do not have the option to get multiple receipts, the
> API only returns a list of receipt IDs for a given search criteria. If you
> need to include receipt data of all the consent entries, you will have to
> iterate through all the consent IDs and fetch the individual receipts. Keep
> in mind that this will likely to generate a payload of a considerable size.
>
> Regards,
> Omindu.
>
>
> On Mon, Jan 22, 2018 at 5:12 PM, Maduranga Siriwardena <madura...@wso2.com
> > wrote:
>
>> Hi all,
>>
>> We are creating a REST API to export user information for IS 5.5.0.
>>
>> Swagger at [1] is the initial design of the API.
>>
>> In the initial phase we are allowing the data to be exported only by the
>> owner of the profile.
>>
>> At the moment we are planing to export basic user profile information and
>> the consents user has given. Response JSON has 2 parts in it.
>>
>>- basic: this part will have the users profile information (claims)
>>in wso2 dialect
>>- consents: this part will have an array of consents user has
>>provided to the Identity Server. Though in the swagger it is represented
>>with the ID of the consent receipt, the actual response will consist of 
>> the
>>whole consent receipt. (Refer mail thread [2] @ architect...@wso2.org
>>for more information)
>>
>> Below is a sample JSON response.
>>
>> {
>>   "basic": {
>> "http://wso2.org/claims/userid": "92d6513e-f4ca-4438-b403-98380
>> 695ed08",
>> "http://wso2.org/claims/username": "maduranga",
>> "http://wso2.org/claims/givenname": "Maduranga",
>> "http://wso2.org/claims/lastname": "Siriwardena",
>> "http://wso2.org/claims/emailaddress": "madura...@wso2.com",
>> "http://wso2.org/claims/telephone": "+947
>> <+94%2071%20111%20>"
>>   },
>>   "consents": [
>> {
>>   "id": "bc53e7bd-013d-4020-b522-1915ada1f305"
>> }
>>   ]
>> }
>>
>> Do you have any suggestions for additional types of information to be
>> included in the response?
>>
>> [1] https://app.swaggerhub.com/apis/Maduranga/PersonalInform
>> ationExport/1.0.0
>> [2] Consent Management APIs for IS 5.5.0
>>
>> Thanks,
>>
>> --
>> Maduranga Siriwardena
>> Senior Software Engineer
>> WSO2 Inc; http://wso2.com/
>>
>> Email: madura...@wso2.com
>> Mobile: +94718990591 <+94%2071%20899%200591>
>> Blog: *https://madurangasiriwardena.wordpress.com/
>> <https://madurangasiriwardena.wordpress.com/>*
>> <http://wso2.com/signature>
>>
>
>
>
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
> Mobile: +94 771 197 211 <077%20119%207211>
>
> ___
> Architecture mailing list
> architect...@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] OAuth2 Client Authentication Error Response when authorization header is malformed

2018-01-19 Thread Hasintha Indrajee

WDYT about the $subject ? Below quoted the descriptions of two types of
error codes from spec [1]. It looks like "invalid_request" is more
appropriate here. Any thoughts ? . An example authorization header is
Base64Encoded (randomString which doesn't have the format
clientid:clientSecret format)


 invalid_request
   The request is missing a required parameter, includes an
   unsupported parameter value (other than grant type),
   repeats a parameter, includes multiple credentials,
   utilizes more than one mechanism for authenticating the
   client, or is otherwise malformed.

 invalid_client
   Client authentication failed (e.g., unknown client, no
   client authentication included, or unsupported
   authentication method).  The authorization server MAY
   return an HTTP 401 (Unauthorized) status code to indicate
   which HTTP authentication schemes are supported.  If the
   client attempted to authenticate via the "Authorization"
   request header field, the authorization server MUST
   respond with an HTTP 401 (Unauthorized) status code and
   include the "WWW-Authenticate" response header field
   matching the authentication scheme used by the client.



[1] https://tools.ietf.org/html/rfc6749

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Hasintha Indrajee

On Thu, Jan 4, 2018 at 2:38 PM, Rushmin Fernando <rush...@wso2.com> wrote:

> IMO, a UI looks like below would solve the problem.
>
> *State 1*
>
> ☑ All
>  ☑ Authorization Code
>  ☑ Implicit
>
> *State 2*
>
> ☐ All
> ☑ Authorization Code
> ☐ Implicit
>
>
> And we don't need to globally make a grant type confidential right? IMO we
> can get rid of it since it makes thing bit complex. Do we have a real use
> case for that?
>
>
>
>
> On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> A confidential application in OAuth2 flow is an application which
>> requires client authentication before retrieving an access token.
>>
>> According to current implementation we can define confidential
>> applications just per grant type. ie we can define all applications which
>> use authorization code grant should be confidential. We do not have the
>> flexibility to decide whether a specific application should be confidential
>> or not.
>>
>> As a solution we can bring this config to UI and have a per application
>> configuration in UI. If we bring this option to UI level / per application,
>> we can define confidentiality of an application, but in contrast we will
>> miss the ability to define whether a specific type of grant should be
>> confidential or not for a specific application.
>>
>> In order to cater both application and grant type level confidentiality
>> we may need to have configurations per grant type. WDYT ?
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Best Regards*
>
> *Rushmin Fernando*
> *Technical Lead*
>
> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware
>
> mobile : +94775615183
>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Confidential Applications in OAuth2 Flow

2018-01-04 Thread Hasintha Indrajee

A confidential application in OAuth2 flow is an application which requires
client authentication before retrieving an access token.

According to current implementation we can define confidential applications
just per grant type. ie we can define all applications which use
authorization code grant should be confidential. We do not have the
flexibility to decide whether a specific application should be confidential
or not.

As a solution we can bring this config to UI and have a per application
configuration in UI. If we bring this option to UI level / per application,
we can define confidentiality of an application, but in contrast we will
miss the ability to define whether a specific type of grant should be
confidential or not for a specific application.

In order to cater both application and grant type level confidentiality we
may need to have configurations per grant type. WDYT ?


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] SAML 2 SSO Login Session Issue

2017-11-13 Thread Hasintha Indrajee

Hi Dilshani,

In SAML bearer grant type, there is no session associated with. If you have
a valid SAML assertion obtained from a trusted IDP (have to be configured
in IS) it should work. What do you mean by session in this context ?.  Also
the flow you have described seems unclear since you are using travelocity.
Can you please elaborate more ?


On Mon, Nov 13, 2017 at 7:04 PM, Dilshani Subasinghe <dilsh...@wso2.com>
wrote:

> Hi IS Team,
>
> Configured SAML 2 SSO in WSO2 IS 5.3.0 for the scenario of "SAML2 Bearer
> Assertion Profile for OAuth 2.0 with WSO2 Travelocity". It worked well and
> moved the setup to cloud instance.
>
> When it is working in cloud set up, it identified that while sending the
> SAML request it may not set the session. I used IP instead of hostname.
> When we give hostname in assertion URL, it may attach session correctly in
> the request.
>
> Is that the expected behavior? Why we can't attach session correctly with
> IP.  I tried to use IP as we may have to add hostname as we accessing it
> remotely. Any solution for that?
>
> [1] https://docs.wso2.com/display/IS530/SAML2+Bearer+Asserti
> on+Profile+for+OAuth+2.0+with+WSO2+Travelocity
>
> Thanks,
> Dilshani
>
> --
>
> Dilshani Subasinghe
> Software Engineer - QA *|* WSO2
> lean *|* enterprise *|* middleware
>
> Mobile : +94773375185 <077%20337%205185>
> Blog: dilshani.me
>
> <https://wso2.com/signature>
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453 <077%20189%202453>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Illegal key size or default parameters thrown when trying out the JWT token Sample

2017-11-02 Thread Hasintha Indrajee

mcat.util.net.NioEndpoint$SocketProcessor.run(
> NioEndpoint.java:1734)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
> run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.wso2.carbon.identity.base.IdentityException: Error while
> Encrypting Assertion
> at org.wso2.carbon.identity.base.IdentityException.error(Identi
> tyException.java:60)
> at org.wso2.carbon.identity.sso.saml.builders.encryption.Defaul
> tSSOEncrypter.doEncryptedAssertion(DefaultSSOEncrypter.java:58)
> at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.setEncryp
> tedAssertion(SAMLSSOUtil.java:657)
> ... 60 more
> Caused by: org.opensaml.xml.encryption.EncryptionException: Error
> encrypting XMLObject
> at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypt
> er.java:455)
> at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:344)
> at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:258)
> at org.wso2.carbon.identity.sso.saml.builders.encryption.Defaul
> tSSOEncrypter.doEncryptedAssertion(DefaultSSOEncrypter.java:55)
> ... 61 more
> Caused by: org.apache.xml.security.encryption.XMLEncryptionException:
> Illegal key size or default parameters
> Original Exception was java.security.InvalidKeyException: Illegal key
> size or default parameters
> at org.apache.xml.security.encryption.XMLCipher.encryptData(
> XMLCipher.java:1140)
> at org.apache.xml.security.encryption.XMLCipher.encryptData(
> XMLCipher.java:1083)
> at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypt
> er.java:452)
> ... 64 more
> Caused by: java.security.InvalidKeyException: Illegal key size or default
> parameters
> at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
> at javax.crypto.Cipher.implInit(Cipher.java:801)
> at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
> at javax.crypto.Cipher.init(Cipher.java:1249)
> at javax.crypto.Cipher.init(Cipher.java:1186)
> at org.apache.xml.security.encryption.XMLCipher.encryptData(
> XMLCipher.java:1137)
> ... 66 more
>
> Regards,
> Jason
>
> Jason De Silva
> *Software Engineer - QA*
> Mobile: +94 (0) 772 097 678
> Email: jas...@wso2.com
> WSO2 Inc. www.wso2.com
> <http://wso2.com/signature>
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453 <077%20189%202453>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Illegal key size or default parameters thrown when trying out the JWT token Sample

2017-11-02 Thread Hasintha Indrajee

It depends on the type of encryption algorithm you are using. What is the
encryption algorithm you are using ?. Also make sure that you have
installed JCE extensions on top of relevant java version you are using.

On Thu, Nov 2, 2017 at 10:07 PM, Jason De Silva <jas...@wso2.com> wrote:

> Hi Hasintha,
>
> Yes, I am using SAML bearer grant type. I am basically trying to get the
> sample provided in [1] to work so that I can extend it to work with other
> OAuth grant types. Also, you are correct when I unticked "Enable Assertion
> Encryption" it logged me in successfully. Is there a reason that we cannot
> use the encrypted assertion here?
>
> [1] https://github.com/wso2/msf4j/tree/master/samples/jwt-claims
>
> Regards,
> Jason
>
> Jason De Silva
> *Software Engineer - QA*
> Mobile: +94 (0) 772 097 678
> Email: jas...@wso2.com
> WSO2 Inc. www.wso2.com
> <http://wso2.com/signature>
>
> On Thu, Nov 2, 2017 at 8:22 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi Jason,
>>
>> Seems like you are using SAML inbound and you have requested an encrypted
>> assertion. Are you using SAML bearer grant type ? Just trying to identify
>> what actually you are trying to achieve here.
>>
>> On Thu, Nov 2, 2017 at 5:02 PM, Jason De Silva <jas...@wso2.com> wrote:
>>
>>> Hi IS Team,
>>>
>>> I am trying out the sample [1] with IS 5.2.0 and 5.3.0 as well. Both the
>>> occasions I face the below issue. I also found [2] where it suggests
>>> increasing the column ACCESS_TOKEN of the table IDN_OAUTH2_ACCESS_TOKEN. I
>>> did it on H2 and MySQL as well but still, it fails. Appreciate any input on
>>> this.
>>>
>>> [1] https://github.com/wso2/msf4j/tree/master/samples/jwt-claims
>>> [2] https://medium.com/@hasinthaindrajee/self-contained-acce
>>> ss-tokens-with-wso2-identity-server-82111631d5b6
>>>
>>> [2017-11-02 16:54:16,918] ERROR {org.opensaml.xml.encryption.Encrypter}
>>> -  Error encrypting XMLObject
>>> org.apache.xml.security.encryption.XMLEncryptionException: Illegal key
>>> size or default parameters
>>> Original Exception was java.security.InvalidKeyException: Illegal key
>>> size or default parameters
>>> at org.apache.xml.security.encryption.XMLCipher.encryptData(XML
>>> Cipher.java:1140)
>>> at org.apache.xml.security.encryption.XMLCipher.encryptData(XML
>>> Cipher.java:1083)
>>> at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypt
>>> er.java:452)
>>> at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:344)
>>> at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:258)
>>> at org.wso2.carbon.identity.sso.saml.builders.encryption.Defaul
>>> tSSOEncrypter.doEncryptedAssertion(DefaultSSOEncrypter.java:55)
>>> at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.setEncryp
>>> tedAssertion(SAMLSSOUtil.java:657)
>>> at org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBu
>>> ilder.buildResponse(DefaultResponseBuilder.java:75)
>>> at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnR
>>> equestProcessor.process(SPInitSSOAuthnRequestProcessor.java:167)
>>> at org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticat
>>> e(SAMLSSOService.java:164)
>>> at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderSer
>>> vlet.handleAuthenticationReponseFromFramework(SAMLSSOProvide
>>> rServlet.java:816)
>>> at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderSer
>>> vlet.handleRequest(SAMLSSOProviderServlet.java:207)
>>> at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderSer
>>> vlet.doGet(SAMLSSOProviderServlet.java:105)
>>> at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderSer
>>> vlet.sendRequestToFramework(SAMLSSOProviderServlet.java:1114)
>>> at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderSer
>>> vlet.handleRequest(SAMLSSOProviderServlet.java:169)
>>> at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderSer
>>> vlet.doPost(SAMLSSOProviderServlet.java:117)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>>> at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.se
>>> rvice(ContextPathServletAdaptor.java:37)
>>> at org.eclipse.equinox.http.servlet.internal.ServletRegistratio
>>> n.service(ServletRegistration.java:61)
>>> at

Re: [Dev] Enable Response signing cannot be done through admin service when creating SAML2 Web SSO Configuraton for a Service Provider

2017-10-22 Thread Hasintha Indrajee

Did you observe this in a WUM updated pack ? If not can you please try with
a WUM updated pack as well ?

On Sat, Oct 21, 2017 at 8:18 PM, Chamara Ariyarathne <chama...@wso2.com>
wrote:

>
>
> On Sat, Oct 21, 2017 at 7:03 PM, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>> I suspect a caching issue here.
>> Was this a single node setup or a multi node cluster?
>>
>
> Reproduced in Single node.
>
>>
>> Also when you try out next time. Can you simply view the SP config and
>> click the update button (without ticking and unticking) and see it it works?
>>
>
> Sure.
>
>>
>>
>> On Friday, October 20, 2017, Chamara Ariyarathne <chama...@wso2.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I'm using the IdentitySAMLSSOConfigService admin service to do the
>>> SAML2 Web SSO Configuration and later using 
>>> IdentityApplicationManagementService
>>> admin service to add it to a service provider configuration.
>>>
>>> I am using this tag to Enable Response Signing.
>>> true
>>>
>>> However when later checked with the travelocity webapp and the log
>>> in fails. When I checked the SP configuration, I can see the checkbox is
>>> ticked for Enable Response Signing in the UI.
>>>
>>> If I untick and tick again the checkbox and update the SP, then the
>>> scenario passes. What that means is, the admin service cannot be used to
>>> make the Enable Response Signing.
>>>
>>> This needs a fix.
>>>
>>> https://wso2.org/jira/browse/IDENTITY-6796
>>>
>>> --
>>> *Chamara Ariyarathne*
>>> WSO2 Inc; http://www.wso2.com/
>>> Mobile; *+94772786766 <077%20278%206766>*
>>>
>>
>>
>> --
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 <https://twitter.com/farazath619>
>> <http://wso2.com/signature>
>>
>>
>>
>>
>
>
> --
> *Chamara Ariyarathne*
> WSO2 Inc; http://www.wso2.com/
> Mobile; *+94772786766 <077%20278%206766>*
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Dynamic client registration request fails due to no user information in the request header.

2017-09-16 Thread Hasintha Indrajee

Just asking for my knowledge,

How do we identify the tenant domain of the application ? Do we have it in
the context path ?, do we get it from user ?, or do we have anyway to
convey it within the body (by appending to something) ? In a case if we get
it from the identified user, how are we going to identify it from a request
without any authentication mechanism ?.

On Sat, Sep 16, 2017 at 12:36 PM, Gayan Gunawardana <ga...@wso2.com> wrote:

>
>
> On Fri, Sep 15, 2017 at 2:47 PM, Hasini Witharana <hasi...@wso2.com>
> wrote:
>
>> Hi,
>>
>> In OIDC dynamic client registration, in the request header we need to
>> send an already existing user and the password to register a client in WSO2
>> Identity server.In OIDC specification[1], It is not mandatory to send user
>> details to register a client.
>>
>> When running the OIDC test suite for dynamic profile, test suite does not
>> send any user details in the header. So we can't create any client and the
>> test fails.
>>
>> For that issue if any user details are not provided in the registration
>> request we can assign an anonymous user(*wso2*.*anonymous*.*user*) and
>> register the client.
>>
> IMO correct design should be completely remove the requirement of having a
> user. If we use *"wso2*.*anonymous*.*user" *some application may have
> real username and some application may have *"wso2*.*anonymous*.*user" *which
> end up with inconsistency.
> Also need to think about creating a role per service provider if any user
> doesn't have that role.
>
>>
>> [1] - https://openid.net/specs/openid-connect-registration-1_0.html
>>
>> --
>>
>> *Hasini Witharana*
>> Software Engineering Intern | WSO2
>>
>>
>> *Email : hasi...@wso2.com <hasi...@wso2.com>*
>>
>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>> http://wso2.com/signature] <http://wso2.com/signature>*
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "WSO2 Engineering Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to engineering-group+unsubscr...@wso2.com.
>> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>>
>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>
> --
> You received this message because you are subscribed to the Google Groups
> "WSO2 Engineering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to engineering-group+unsubscr...@wso2.com.
> For more options, visit https://groups.google.com/a/wso2.com/d/optout.
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Have we tested the new DCR on IS 5.4.0 Alpha2?

2017-09-14 Thread Hasintha Indrajee

For IS endpoint should be https://localhost:9443/identity/connect/register.
Refer [1][2]

[1] http://openid.net/specs/openid-connect-registration-1_0.html
[2]
https://docs.wso2.com/display/IS540/OpenID+Connect+Dynamic+Client+Registration
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.4.0 Alpha2 Released!

2017-09-07 Thread Hasintha Indrajee

The WSO2 Identity Server team is pleased to announce the release of WSO2
Identity Server 5.4.0 Alpha2. You can download this distribution from the
following location.

Runtime:   https://github.com/wso2/product-is/releases
/tag/v5.4.0-alpha2

Following list contains all the features, improvements and bug fixes
available with this alpha2 release.
Bugs

   - [IDENTITY-6148 <https://wso2.org/jira/browse/IDENTITY-6148>] - Include
   recommended security filters to the web apps, by default
   - [IDENTITY-6256 <https://wso2.org/jira/browse/IDENTITY-6256>] - XACML
   fine grained permission model is not working after permission refactoring.
   - [IDENTITY-6311 <https://wso2.org/jira/browse/IDENTITY-6311>] - "kid"
   JWT header parameter shouldn't be a hard coded value
   - [IDENTITY-6328 <https://wso2.org/jira/browse/IDENTITY-6328>] - Client
   credentials grant should not return refresh token in response by default
   - [IDENTITY-6340 <https://wso2.org/jira/browse/IDENTITY-6340>] - Issue
   in ask password email template

Tasks

   - [IDENTITY-6339 <https://wso2.org/jira/browse/IDENTITY-6339>] - Remove
   EnableOAuthCache config from identity.xml

Improvements

   - [IDENTITY-4375 <https://wso2.org/jira/browse/IDENTITY-4375>] -
   RelayState can not be set dynamically in SSO agent
   - [IDENTITY-5093 <https://wso2.org/jira/browse/IDENTITY-5093>] - Provide
   a meaningful message for the attempt to execute scim operation while scim
   is not enabled
   - [IDENTITY-5095 <https://wso2.org/jira/browse/IDENTITY-5095>] -
   Repititive logs for SCIM user update
   - [IDENTITY-5487 <https://wso2.org/jira/browse/IDENTITY-5487>] - Better
   to trim the CSV values in Bulk User Import
   - [IDENTITY-5895 <https://wso2.org/jira/browse/IDENTITY-5895>] - Enhance
   default email templates attractive html templates
   - [IDENTITY-5987 <https://wso2.org/jira/browse/IDENTITY-5987>] - JIT
   Provisioned Users Cannot be Associated to Local Accounts Dynamically
   - [IDENTITY-6032 <https://wso2.org/jira/browse/IDENTITY-6032>] - Pass
   HTTP Request Headers to Grant Handlers
   - [IDENTITY-6342 <https://wso2.org/jira/browse/IDENTITY-6342>] -
   Improving the default behavior of ID token validator



*How To Contribute*
Your feedback is most welcome!
Mailing Lists
Join our mailing list and correspond with the developers directly.

   - Developer List: dev@wso2.org | Subscribe <dev-requ...@wso2.org> | Mail
   Archive <http://wso2.org/mailarchive/dev/>
   - User Forum: StackOverflow
   <http://stackoverflow.com/questions/tagged/wso2is>

Reporting Issues
We encourage you to report issues, improvements and feature requests
regarding WSO2 Identity Server through public WSO2 Identity Server Runtime
JIRA <https://wso2.org/jira/browse/IDENTITY> and Analytics JIRA
<https://wso2.org/jira/browse/ANLYIS>


*~ The WSO2 Identity Server Team ~*

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Charon master and 3.0.x branch

2017-09-07 Thread Hasintha Indrajee

Hi all,

We have two branches which have Charon 3.x.x code. I think Charon 3.0.x
branch is redundant. Hence will be removing it. Charon 3.x.x. code will be
in master.


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Avoid Invoking REST endpoints from SSO login page

2017-09-05 Thread Hasintha Indrajee

Can we alter a config inside webapp easily ? I mean if another product
wants to change the config in order to change the OOTB behaviour, it has to
extract and change the config at product build time. Is this
straightforward to a config inside a webapp ? On the other hand we cannot
move this config to a file which stays out of the webapp. It's not correct
since authentication endpoint should be ideally self contained.

On Tue, Sep 5, 2017 at 10:01 PM, Nuwandi Wickramasinghe <nuwan...@wso2.com>
wrote:

>
>
> On Tue, Sep 5, 2017 at 12:59 PM, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>>
>>
>> On Tue, Sep 5, 2017 at 12:39 PM, Pulasthi Mahawithana <pulast...@wso2.com
>> > wrote:
>>
>>>
>>>
>>> On Mon, Sep 4, 2017 at 2:44 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> I think we must avoid this if this is just to check whether the
>>>> endpoint exists or not. This is anyway a costly operation. Head will only
>>>> reduce the transport cost. Otherwise when the head request reaches back
>>>> end, it does the relevant operation treating the request as a GET and avoid
>>>> responding with actual payload. In our case this is very costly because
>>>> within these calls, there are user store accesses and multiple other DB
>>>> accesses.
>>>>
>>>
>>> We'll need that check (or some other way) to check whether the identity
>>> mgt webapp exists and deployed since some products don't ship it by
>>> default. And yes, we need to get rid of calling an endpoint which does any
>>> heavy work. So shall we do the HEAD to a page which does not do any heavy
>>> work? May be to "accountrecoveryendpoint/error.jsp"?
>>>
>>
>> Wouldn't it be easier if we do this with a config.
>> ie. By default we do not show these links. If any product ships the
>> account recovery endpoint  and they want to show the recovery links for all
>> service provider logins, then they override this config at product level.
>>
> +1
> Actually there is "IdentityManagementEndpointContextURL" parameter
> configured in authenticationendpoint web.xml. Value of this parameter is
> used to determine the recoveryendpoint url. As per the current
> implementation, if this parameter is not configured, we retrieve the webapp
> url by calling *IdentityUtil.getServerURL("/accountrecoveryendpoint",
> true, true). *Can't we avoid showing the links if
> *IdentityManagementEndpointContextURL* is not configured in
> authentication endpoint? In the default pack, this parameter is commented
> out. So anyone who needs it can un comment it.
>
> However with this implementation, the default behavior of dashboard login
> page would change.
>
>>
>> Another reason for this suggestion is that, upto IS 5.3.0 we only showed
>> the recovery related links when login into user dashboard only. So this is
>> essentially a change in the default behaviour of the product where we now
>> show the recovery links in the login page for all service providers (not
>> just the dashboard). So if someone wants to stick to the previous behaviour
>> they should have a way to do so (ie. maintain backward compatibility).
>>
>
>>
>>>
>>>
>>>>
>>>> On Fri, Aug 18, 2017 at 4:39 PM, Isura Karunaratne <is...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Fri, Aug 18, 2017 at 4:33 PM Malithi Edirisinghe <malit...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> On Fri, Aug 18, 2017 at 4:02 PM, Isura Karunaratne <is...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Malithi,
>>>>>>>
>>>>>>> On Fri, Aug 18, 2017 at 3:41 PM, Malithi Edirisinghe <
>>>>>>> malit...@wso2.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Aug 18, 2017 at 12:31 PM, Nuwandi Wickramasinghe <
>>>>>>>> nuwan...@wso2.com> wrote:
>>>>>>>>
>>>>>>>>> Looks like http calls are done to validate the endpoint url. Do we
>>>>>>>>> need this validation before showing the link?
>>>>>>>>>
>>>>>>>>> Shall we remove these calls and directly show the hyper link?
>>>>>>>>>
>>>>>>>>
>>>>>>>> So here the validatio

Re: [Dev] Avoid Invoking REST endpoints from SSO login page

2017-09-04 Thread Hasintha Indrajee

t; requests to render 3 hyper links. Also if any of API raises back-end
>>>>>>> exception, bad stack trace will be printed as below.
>>>>>>>
>>>>>>> WARN {org.apache.cxf.phase.PhaseInterceptorChain} -  Application {
>>>>>>> http://endpoint.recovery.identity.carbon.wso2.org/}ClaimsApi has
>>>>>>> thrown exception, unwinding now
>>>>>>> org.apache.cxf.interceptor.Fault
>>>>>>>
>>>>>>>  Is there a better way to handle this situation ?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Gayan
>>>>>>>
>>>>>>> --
>>>>>>> Gayan Gunawardana
>>>>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>>> Email: ga...@wso2.com
>>>>>>> Mobile: +94 (71) 8020933
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Nuwandi Wickramasinghe
>>>>>
>>>>> Software Engineer
>>>>>
>>>>> WSO2 Inc.
>>>>>
>>>>> Web : http://wso2.com
>>>>>
>>>>> Mobile : 0719214873 <071%20921%204873>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Malithi Edirisinghe*
>>>> Associate Technical Lead
>>>> WSO2 Inc.
>>>>
>>>> Mobile : +94 (0) 718176807
>>>> malit...@wso2.com
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Isura Dilhara Karunaratne*
>>> Associate Technical Lead | WSO2
>>> Email: is...@wso2.com
>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>> Blog : http://isurad.blogspot.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
> --
>
> *Isura Dilhara Karunaratne*
> Associate Technical Lead | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810 <077%20225%204810>
> Blog : http://isurad.blogspot.com/
>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] JDBCUserstore Config "IsEmailUserName"

2017-07-31 Thread Hasintha Indrajee

Is there any usage of subject ?. If so any idea where we honor this config
element ? Docs do have this [1]

[1] https://docs.wso2.com/display/IS530/Configuring+a+JDBC+User+Store

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] Issue with prioritizing session time out period configuration

2017-07-26 Thread Hasintha Indrajee

To me logic is like this.

Session is maintained using commonAuthId cookie (not from samlssoTokenId).
Usually we do not configure a max age value for commonAuthID through
Identity.xml. Therefore the value which we configure through resident idp
will be taken as the timeout (session idle timeout or remember me period).
But if we configure this in identity.xml for commonAuthId then the value
configured through identity.xml will be taken. But this is fine since we
have given the ability to configure timeouts per tenant through UI. For the
rest of the cookies (including samlssoTokenId) the value which is
configured in identity.xml will be taken as the max age. So our
recommendation should be not to configure a max age for commonAuthId in
identity.xml.

On Wed, Jul 26, 2017 at 5:12 AM, Sathya Bandara <sat...@wso2.com> wrote:

> Hi all,
>
> In the current implementation we can configure the session time out for
> the Identity Server via the resident realm configuration (Idle Session Time
> Out). In addition, with the following configuration in identity.xml we can
> specify a maxAge parameter on cookies in order to configure the session
> time out periods (cookie expiration time).
>
>
>
> * httpOnly="true" secure="true" />*
>
> If this parameter value is specified, in our implementation we give
> priority to max age value configured through the identity.xml over session
> time out value configured in the resident IDP [1].
>
> But for the scenario where in a tenant mode, if the session time out
> period needs to be customized(reduced) for security reasons, if max age
> value is specified in the configuration file priority will be given to that
> rather than the customized session idle time out for that tenant. is this a
> valid use case?
>
> Highly appreciate your thoughts on this.
>
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-saml/blob/5.3.x/components/org.wso2.carbon.
> identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/
> SAMLSSOProviderServlet.java#L854
>
> Thanks,
> Sathya
>
> --
> Sathya Bandara
> Software Engineer
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [WSO2IS] use of sessionDataKey and user bookmarking the login page

2017-07-24 Thread Hasintha Indrajee

Hi Clovis,

SessionDataKey is used as a state parameter between the sequence of
authentication. Within this sequence all redirections and other states are
maintained through this. Once the authentication sequence ends,
SessioiinDataKey will be removed from both Cache and DB entries. So when
you are re-using an old one, you get errors. The link [1] contains a
workaround for this.

[1]
https://medium.com/@hasinthaindrajee/handle-browser-back-button-after-successful-authentication-wso2-identity-server-authentication-8687a681b59e

On Mon, Jul 24, 2017 at 5:16 PM, Clovis Wichoski <clo...@neoinix.com.br>
wrote:

> Hi
>
> The problem is about the user bookmarking login page that have
> sessionDataKey on the URL, somedays after that session got invalid and the
> bookmark always got invalid session until user click to redirect for
> correct page.
>
> I'm try to figure ways to deal with authentication framework specifically
> on the customization of login.do and know better about sessionDataKey, but
> I cant find any idea, for example how to check if sessionDataKey is valid,
> and if not, send back to authorization that give back a new sessionDataKey.
>
> Can someone explain the idea behind sessionDataKey or anyone have the
> correct way to solve user using browser to bookmarking login page, but the
> correct is to bookmarking the redirect_uri?
>
>
> Thanks
>
> Clóvis
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Custom UserStore works on 5.1.0, 5.2.0 not working in 5.3.0 and 5.4.0-M1

2017-07-03 Thread Hasintha Indrajee

t;>>>>> 5.3.0.
>>>>>>
>>>>>> These two handlers call the getUserClaimValues() method of the
>>>>>> userstore to retrieve some claims. Since we haven't overridden the method
>>>>>> in custom userstore implementation it calls the super class. This leads 
>>>>>> to
>>>>>> trying to find the claims from a non-existing table[3].
>>>>>>
>>>>>> One way to solve is to override the getUserClaimValues() method. But
>>>>>> in the PoV of the extension developer, this would be an unnecessary step 
>>>>>> if
>>>>>> the custom user store is just used for authentication only as explained 
>>>>>> in
>>>>>> [4].
>>>>>>
>>>>>> Even in the official docs[5], we do not have any mention of having to
>>>>>> implement the getUserClaimValues() method.
>>>>>>
>>>>>> What would be the correct and the most efficient way to resolve this?
>>>>>> Appreciate your thoughts.
>>>>>>
>>>>>>
>>>>>>
>>>>>> [1] https://github.com/wso2-extensions/identity-event-handle
>>>>>> r-account-lock/blob/master/components/org.wso2.carbon.identi
>>>>>> ty.handler.event.account.lock/src/main/java/org/wso2/carbon/
>>>>>> identity/handler/event/account/lock/AccountDisableHandler.java#L89
>>>>>>
>>>>>> [2] https://github.com/wso2-extensions/identity-event-handle
>>>>>> r-account-lock/blob/master/components/org.wso2.carbon.identi
>>>>>> ty.handler.event.account.lock/src/main/java/org/wso2/carbon/
>>>>>> identity/handler/event/account/lock/AccountLockHandler.java#L186
>>>>>>
>>>>>> [3] https://wso2.org/jira/browse/IDENTITY-6074?focusedCommen
>>>>>> tId=134555=com.atlassian.jira.plugin.system.issuetabpan
>>>>>> els:comment-tabpanel#comment-134555
>>>>>>
>>>>>> [4] https://wso2.org/jira/browse/IDENTITY-6074
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Farasath Ahamed
>>>>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>>>>> Mobile: +94777603866
>>>>>> Blog: blog.farazath.com
>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>>>>> <http://wso2.com/signature>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks & Regards,
>>>>>
>>>>> *Johann Dilantha Nallathamby*
>>>>> Senior Technical Lead - WSO2 Identity Server
>>>>> Governance Technologies Team
>>>>> WSO2, Inc.
>>>>> lean.enterprise.middleware
>>>>>
>>>>> Mobile - *+9476950*
>>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Isura Dilhara Karunaratne*
>>>> Senior Software Engineer | WSO2
>>>> Email: is...@wso2.com
>>>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>>>> Blog : http://isurad.blogspot.com/
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810 <+94%2077%20225%204810>
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Sagara Gunathunga
>
> Associate Director / Architect; WSO2, Inc.;  http://wso2.com
> V.P Apache Web Services;http://ws.apache.org/
> Linkedin; http://www.linkedin.com/in/ssagara
> Blog ;  http://ssagara.blogspot.com
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Use "/identity" claims for identity mgt functionalities

2017-06-03 Thread Hasintha Indrajee

AFAIK there is no difference in the way we handle identity claims within IS
from 5.0.0 up to now. So these connectors will not be useful if the
userstore is read-only. Better to improve these connectors.

But then again we may need to provide migration scripts and update
documents if we are to do this change.

On Sat, Jun 3, 2017 at 5:10 PM, Malaka Silva <mal...@wso2.com> wrote:

> Hi Hasintha,
>
> I guess this only supports since IS version 530? Most of the
> authenticators identity claims were not considered and will be an issue
> when read only user store is used. Something we have to improve in general.
>
> On Sat, Jun 3, 2017 at 10:08 AM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi connector team,
>>
>> I noticed that password policy connector [1] is not using an identity
>> claim to store lastPasswordChangedTimestamp which is not correct. These
>> kind of claims should be identity claims. The reason for being an identity
>> claim is to use them even if the userstore is read only. If we use this
>> claim in this way, this claim will be useless if the userstore is read
>> only. The correct claim will look like "http://wso2.org/claims/identi
>> ty/lastPasswordUpdateTimeStamp"
>>
>>
>> [1] https://github.com/wso2-extensions/identity-outbound-aut
>> h-passwordPolicy
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <077%20189%202453>
>>
>>
>
>
> --
>
> Best Regards,
>
> Malaka Silva
> Associate Director / Architect
> M: +94 777 219 791 <077%20721%209791>
> Tel : 94 11 214 5345
> Fax :94 11 2145300 <011%202%20145300>
> Skype : malaka.sampath.silva
> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
> Blog : http://mrmalakasilva.blogspot.com/
>
> WSO2, Inc.
> lean . enterprise . middleware
> https://wso2.com/signature
> http://www.wso2.com/about/team/malaka-silva/
> <http://wso2.com/about/team/malaka-silva/>
> https://store.wso2.com/store/
>
> Don't make Trees rare, we should keep them with care
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Use "/identity" claims for identity mgt functionalities

2017-06-02 Thread Hasintha Indrajee

Hi connector team,

I noticed that password policy connector [1] is not using an identity claim
to store lastPasswordChangedTimestamp which is not correct. These kind of
claims should be identity claims. The reason for being an identity claim is
to use them even if the userstore is read only. If we use this claim in
this way, this claim will be useless if the userstore is read only. The
correct claim will look like "
http://wso2.org/claims/identity/lastPasswordUpdateTimeStamp;


[1] https://github.com/wso2-extensions/identity-outbound-auth-passwordPolicy
-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] No of failed attempts in an authentication framework

2017-03-13 Thread Hasintha Indrajee

You can capture successful as well as unsuccessful login attempts through
an extension point in authentication framework. For an example please refer
the audit logger we have implemented in [1]. But your requirement seems
different. If you are implementing a custom authenticator for this, you can
keep track the failure count within authenticaitonContext and redirect to
the application if the number of failures exceeds your threshold value.


[1]
https://github.com/wso2-extensions/identity-data-publisher-authentication/blob/master/components/org.wso2.carbon.identity.data.publisher.application.authentication/src/main/java/org/wso2/carbon/identity/data/publisher/application/authentication/impl/AuthenticationAuditLogger.java

On Mon, Mar 13, 2017 at 10:02 PM, Danushka Fernando <danush...@wso2.com>
wrote:

> Actually my requirement is to if that no exceeds certain amount, to return
> with an error message to the application.
>
> Thanks & Regards
> Danushka Fernando
> Senior Software Engineer
> WSO2 inc. http://wso2.com/
> Mobile : +94716332729 <071%20633%202729>
>
> On Mon, Mar 13, 2017 at 9:58 PM, Farasath Ahamed <farasa...@wso2.com>
> wrote:
>
>> + adding Hasintha who worked on similar requirements for IS analytics
>>
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 <https://twitter.com/farazath619>
>> <http://wso2.com/signature>
>>
>>
>>
>> On Mon, Mar 13, 2017 at 9:54 PM, Danushka Fernando <danush...@wso2.com>
>> wrote:
>>
>>> Hi All
>>> I have a sp configuration where I have configured step authentication.
>>> Is there a way to capture the no of failed attempts in a flow inside an
>>> authenticator? Whats the best way of capturing it?
>>>
>>> Thanks & Regards
>>> Danushka Fernando
>>> Senior Software Engineer
>>> WSO2 inc. http://wso2.com/
>>> Mobile : +94716332729 <+94%2071%20633%202729>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] What is the difference between ACS URL and Recipient in SAML2?

2017-03-07 Thread Hasintha Indrajee

According [1]

" The Recipient URL is another layer of security to make sure that the SAML
response is meant for you and only you.

The Recipient will tell you exactly who the SAML response is for, but the
Audience will tell you, at a broader level, where the response should go.
So for example, the Recipient could be Yankee Stadium, while the Audience
could be New York City.

Using both Audience and Recipient values is recommended."

Again I think this is subjective. IDP and SP can agree on finer levels or
the other way around as well. Recipient value does not need to be limited
to ACS. You can have multiple recipient values as well.


[1]
https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector

On Wed, Mar 8, 2017 at 12:20 PM, Sewmini Jayaweera <sewm...@wso2.com> wrote:

> ping
>
> Sewmini Jayaweera
> *Software Engineer - QA Team*
> Mobile: +94 (0) 773 381 250 <077%20338%201250>
> sewm...@wso2.com
>
> On Tue, Mar 7, 2017 at 10:58 PM, Sewmini Jayaweera <sewm...@wso2.com>
> wrote:
>
>> Hi,
>>
>> As per the SAML core specification [1], below were the definitions given
>> for ACS URL and Recipient.
>>
>>- *AssertionConsumerServiceURL: *Specifies by value the location to
>>which the  message MUST be returned to the
>>requester. The responder MUST ensure by some means that the value
>>specified is in fact associated with the requester. [SAMLMeta] provides 
>> one
>>possible mechanism; signing the enclosing  message is
>>another. This attribute is mutually exclusive with the
>>AssertionConsumerServiceIndex attribute and is typically accompanied by 
>> the
>>ProtocolBinding attribute.
>>
>>
>>- *Recipient [Optional]: *A URI specifying the entity or location to
>>which an attesting entity can present the assertion. For
>>example, this attribute might indicate that the assertion must be
>>delivered to a particular network endpoint in order to prevent an
>>intermediary from redirecting it someplace else
>>
>> *Question*
>>
>>1. Should AssertionConsumerServiceURL and Recipient always be the
>>same?
>>2. When exactly do we need to specify a recipient? Appreciate if you
>>can explain with a sample use case.
>>
>> [1]. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>>
>> Cheers!
>>
>> Sewmini Jayaweera
>> *Software Engineer - QA Team*
>> Mobile: +94 (0) 773 381 250 <+94%2077%20338%201250>
>> sewm...@wso2.com
>>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SAML Request validation happens after completing all the authentication steps

2017-02-28 Thread Hasintha Indrajee

On Tue, Feb 28, 2017 at 2:52 PM, Dulanja Liyanage <dula...@wso2.com> wrote:

> Originally we identified the tenant domain only after user authentication.
> Then only tenant specific SP configs could be retrieved. That's why
> validation was done only after authentication.
>

Aren't we getting SP tenant domain with the issuer (appended after an "@"
sign)? or at least as a query parameter ?. Do we do any request validation
based on authenticated user's tenant domain ?.

>
> On Tue, Feb 28, 2017 at 2:49 PM, Thanuja Jayasinghe <than...@wso2.com>
> wrote:
>
>> Hi Farasath,
>>
>> On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <farasa...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Noticed $subject happening when we configure SAML SSO with SAML Request
>>> Validation enabled.
>>>
>>> This means that even for an invalid SAML Request (with an invalid
>>> signature) the user will go through the authentication steps configured for
>>> that Service Provider(identified by the issuer value in the request) and
>>> the SAML Request validation only happens after we get the response from the
>>> authentication framework.
>>>
>>> Is this the expected behaviour?
>>>
>>> Yes.
>>
>> We only validate issuer name of the SAML service priovider in the
>> authentication request before the authentication.
>>
>> Since we store SAML related configurations in the registry, we have
>> implemented it in this way to improve performance for the valid
>> authentication requests.
>>
>> But ideally, we should validate authentication request before moving to
>> authentication.
>>
>>
>>>
>>> Thanks,
>>> Farasath Ahamed
>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>> <http://wso2.com/signature>
>>>
>>>
>> Thanks,
>> Thanuja
>> --
>> *Thanuja Lakmal*
>> Senior Software Engineer
>> WSO2 Inc. http://wso2.com/
>> *lean.enterprise.middleware*
>> Mobile: +94715979891 +94758009992
>>
>
>
>
> --
> Thanks & Regards,
> Dulanja Liyanage
> Lead, Platform Security Team
> WSO2 Inc.
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error while initiating response builder

2017-02-27 Thread Hasintha Indrajee

Hi Gayan,

This resolved the issue. Thanks for your inputs.

On Mon, Feb 27, 2017 at 6:38 AM, Gayan Gunawardana <ga...@wso2.com> wrote:

> @Hasintha
>
> Please add this to user dependency list and check.
>
> 
> org.wso2.msf4j
> jaxrs-delegates
> ${msf4j.version}
> test
> 
>
> optionList.add(mavenBundle().
> groupId("org.wso2.msf4j").
> artifactId("jaxrs-delegates")
> .versionAsInProject().noStart())
>
> Thanks,
>
> Gayan
>
>
> On Sat, Feb 25, 2017 at 9:07 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> @KasunG : We cannot exclude this dependency since it's required to build
>> up osgi environment for tests. I checked and removed all other transitive
>> ways of inheriting this dependency. But still the issue is there.
>>
>> @Thusitha : This is not due to picking two bundles. Rather picking a
>> bundle and a maven dependency I guess. So we need to to find a way to
>> exclude this maven dependency from test run time. I checked adding
>> different scopes (ex - test, compile) But still couldn't get it solved.
>>
>> On Sat, Feb 25, 2017 at 5:17 PM, Thusitha Thilina Dayaratne <
>> thusit...@wso2.com> wrote:
>>
>>> Hi Hasintha,
>>>
>>> According to the stacktrace, it seems that RuntimeDelegate class is
>>> loaded from 2 bundles. Can you check if you have 2 dependecnies which
>>> provided this class ?
>>>
>>> Thanks
>>> Thusitha
>>>
>>> On Sat, Feb 25, 2017 at 5:10 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> Hi all,
>>>>
>>>> I am getting the following class cast exception while initiating a
>>>> Response builder. Following is the line of code causing this issue. Note
>>>> that I am only getting this while running tests. Any Idea about the cause
>>>> of this issue ?
>>>>
>>>> Response.ResponseBuilder builder = Response.noContent();
>>>>
>>>>
>>>> msf4j-core[org.wso2.msf4j.internal.MSF4JMessageProcessor] : Unmapped
>>>> exception
>>>> java.lang.LinkageError: ClassCastException: attempting to
>>>> castjar:file:/home/hasinthaindrajee/.m2/repository/javax/ws/
>>>> rs/javax.ws.rs-api/2.0/javax.ws.rs-api-2.0.jar!/javax/ws/rs/ext/RuntimeDelegate.class
>>>> to bundleresource://53.fwk689654773/javax/ws/rs/ext/RuntimeDele
>>>> gate.class
>>>> at javax.ws.rs.ext.RuntimeDelegate.findDelegate(RuntimeDelegate
>>>> .java:146)
>>>> at javax.ws.rs.ext.RuntimeDelegate.getInstance(RuntimeDelegate.
>>>> java:120)
>>>> at javax.ws.rs.core.Response$ResponseBuilder.newInstance(Respon
>>>> se.java:848)
>>>> at javax.ws.rs.core.Response.status(Response.java:590)
>>>> at javax.ws.rs.core.Response.status(Response.java:601)
>>>> at javax.ws.rs.core.Response.accepted(Response.java:709)
>>>> at org.wso2.carbon.identity.sample.outbound.response.ACSRequest
>>>> ResponseBuilderFactory.createBuilder(ACSRequestResponseBuild
>>>> erFactory.java:16)
>>>> at org.wso2.carbon.identity.gateway.resource.GatewayManager.exe
>>>> cute(GatewayManager.java:86)
>>>> at org.wso2.carbon.identity.gateway.resource.GatewayResource.pr
>>>> ocessGet(GatewayResource.java:59)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>> ssorImpl.java:62)
>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at org.wso2.msf4j.internal.router.HttpMethodInfo.invoke(HttpMet
>>>> hodInfo.java:132)
>>>> at org.wso2.msf4j.internal.MSF4JMessageProcessor.dispatchMethod
>>>> (MSF4JMessageProcessor.java:130)
>>>> at org.wso2.msf4j.internal.MSF4JMessageProcessor.receive(MSF4JM
>>>> essageProcessor.java:72)
>>>> at org.wso2.carbon.transport.http.netty.listener.WorkerPoolDisp
>>>> atchingSourceHandler.lambda$publishToWorkerPool$12(WorkerPoo
>>>> lDispatchingSourceHandler.java:125)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.

Re: [Dev] Error while initiating response builder

2017-02-25 Thread Hasintha Indrajee

@KasunG : We cannot exclude this dependency since it's required to build up
osgi environment for tests. I checked and removed all other transitive ways
of inheriting this dependency. But still the issue is there.

@Thusitha : This is not due to picking two bundles. Rather picking a bundle
and a maven dependency I guess. So we need to to find a way to exclude this
maven dependency from test run time. I checked adding different scopes (ex
- test, compile) But still couldn't get it solved.

On Sat, Feb 25, 2017 at 5:17 PM, Thusitha Thilina Dayaratne <
thusit...@wso2.com> wrote:

> Hi Hasintha,
>
> According to the stacktrace, it seems that RuntimeDelegate class is
> loaded from 2 bundles. Can you check if you have 2 dependecnies which
> provided this class ?
>
> Thanks
> Thusitha
>
> On Sat, Feb 25, 2017 at 5:10 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>>
>> Hi all,
>>
>> I am getting the following class cast exception while initiating a
>> Response builder. Following is the line of code causing this issue. Note
>> that I am only getting this while running tests. Any Idea about the cause
>> of this issue ?
>>
>> Response.ResponseBuilder builder = Response.noContent();
>>
>>
>> msf4j-core[org.wso2.msf4j.internal.MSF4JMessageProcessor] : Unmapped
>> exception
>> java.lang.LinkageError: ClassCastException: attempting to
>> castjar:file:/home/hasinthaindrajee/.m2/repository/javax/ws/
>> rs/javax.ws.rs-api/2.0/javax.ws.rs-api-2.0.jar!/javax/ws/rs/ext/RuntimeDelegate.class
>> to bundleresource://53.fwk689654773/javax/ws/rs/ext/RuntimeDelegate.class
>> at javax.ws.rs.ext.RuntimeDelegate.findDelegate(RuntimeDelegate.java:146)
>> at javax.ws.rs.ext.RuntimeDelegate.getInstance(RuntimeDelegate.java:120)
>> at javax.ws.rs.core.Response$ResponseBuilder.newInstance(Respon
>> se.java:848)
>> at javax.ws.rs.core.Response.status(Response.java:590)
>> at javax.ws.rs.core.Response.status(Response.java:601)
>> at javax.ws.rs.core.Response.accepted(Response.java:709)
>> at org.wso2.carbon.identity.sample.outbound.response.ACSRequest
>> ResponseBuilderFactory.createBuilder(ACSRequestRespon
>> seBuilderFactory.java:16)
>> at org.wso2.carbon.identity.gateway.resource.GatewayManager.
>> execute(GatewayManager.java:86)
>> at org.wso2.carbon.identity.gateway.resource.GatewayResource.
>> processGet(GatewayResource.java:59)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.wso2.msf4j.internal.router.HttpMethodInfo.invoke(HttpMet
>> hodInfo.java:132)
>> at org.wso2.msf4j.internal.MSF4JMessageProcessor.dispatchMethod
>> (MSF4JMessageProcessor.java:130)
>> at org.wso2.msf4j.internal.MSF4JMessageProcessor.receive(MSF4JM
>> essageProcessor.java:72)
>> at org.wso2.carbon.transport.http.netty.listener.WorkerPoolDisp
>> atchingSourceHandler.lambda$publishToWorkerPool$12(WorkerPoo
>> lDispatchingSourceHandler.java:125)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>
>>
>
>
> --
> Thusitha Dayaratne
> Software Engineer
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> Mobile  +94712756809 <071%20275%206809>
> Blog  alokayasoya.blogspot.com
> Abouthttp://about.me/thusithathilina
> <http://wso2.com/signature>
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Error while initiating response builder

2017-02-25 Thread Hasintha Indrajee

Hi all,

I am getting the following class cast exception while initiating a Response
builder. Following is the line of code causing this issue. Note that I am
only getting this while running tests. Any Idea about the cause of this
issue ?

Response.ResponseBuilder builder = Response.noContent();


msf4j-core[org.wso2.msf4j.internal.MSF4JMessageProcessor] : Unmapped
exception
java.lang.LinkageError: ClassCastException: attempting to
castjar:file:/home/hasinthaindrajee/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.0/javax.ws.rs-api-2.0.jar!/javax/ws/rs/ext/RuntimeDelegate.class
to bundleresource://53.fwk689654773/javax/ws/rs/ext/RuntimeDelegate.class
at javax.ws.rs.ext.RuntimeDelegate.findDelegate(RuntimeDelegate.java:146)
at javax.ws.rs.ext.RuntimeDelegate.getInstance(RuntimeDelegate.java:120)
at javax.ws.rs.core.Response$ResponseBuilder.newInstance(Response.java:848)
at javax.ws.rs.core.Response.status(Response.java:590)
at javax.ws.rs.core.Response.status(Response.java:601)
at javax.ws.rs.core.Response.accepted(Response.java:709)
at
org.wso2.carbon.identity.sample.outbound.response.ACSRequestResponseBuilderFactory.createBuilder(ACSRequestResponseBuilderFactory.java:16)
at
org.wso2.carbon.identity.gateway.resource.GatewayManager.execute(GatewayManager.java:86)
at
org.wso2.carbon.identity.gateway.resource.GatewayResource.processGet(GatewayResource.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.wso2.msf4j.internal.router.HttpMethodInfo.invoke(HttpMethodInfo.java:132)
at
org.wso2.msf4j.internal.MSF4JMessageProcessor.dispatchMethod(MSF4JMessageProcessor.java:130)
at
org.wso2.msf4j.internal.MSF4JMessageProcessor.receive(MSF4JMessageProcessor.java:72)
at
org.wso2.carbon.transport.http.netty.listener.WorkerPoolDispatchingSourceHandler.lambda$publishToWorkerPool$12(WorkerPoolDispatchingSourceHandler.java:125)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] OSGI imports are not getting resolved

2017-02-20 Thread Hasintha Indrajee

Hi All,

I am building a new orbit bundle for opensaml [1], The reason for building
this is to make some of the imports optional (javax.servlet.jsp and
org.apache.axiom.om.impl.dom.jaxp).

With this OSGI bundle I am getting issues while starting up the server. The
issue is while resolving [org.apache.commons.ssl] import. But this is being
exported in my osgi environment by [commons-httpclient_3.1.0.wso2v3]. The
issues is that this is not being picked up by opensaml (Even though we
import correct version ranges).

Another thing I have observed is "org.apache.commons.httpclient" which is
also being exported from the above httpclient bundle is also imported by
opensaml bundle without any issue. This import is working as expected.

Currently above imports are as optional. I made them compulsory bus still
the issue is there since it cannot find the "org.apache.commons.ssl"
package within opensaml.

I have uploaded a distribution where I can observe this issue to the svn
location [2].


[1]
https://github.com/hasinthaindrajee/orbit/blob/opensaml_and_encorder/opensaml/2.6.4.wso2v4/pom.xml
[2]
https://svn.wso2.org/repos/wso2/people/hasintha/opensaml_issue/wso2is-6.0.0-SNAPSHOT.zip
-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] STS Client sample Doesn't work for Non-repudiation

2017-01-16 Thread Hasintha Indrajee

rKLMpze42EcGfYZweb+Th4FxX4rRt2+
>> axHQRlt/p+A8YMwYUicKF93+a7RDiOhOdUOaoanIoN/CQaYtSskQZzK+LaqP
>> 9o1kcJCLulPgkGeYiC/fb3AilOuKKS+s5JWMchfgw2ebLgYTO43AalYwCtqN
>> f/VMycIpb30B4=
>>
>>   http://docs.oasis-open.org/wss/2004/01/oasis-2004
>> 01-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-649751EC57E04F21
>> D3148360533186918">
>>  http://docs.oasi
>> s-open.org/wss/2004/01/oasis-200401-wss-soap-message-securi
>> ty-1.0#Base64Binary" ValueType="http://docs.oasis-o
>> pen.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
>> ">a/jhNus21KVuoFx65LmkW2O/l10=
>>   
>>
>> 
>>  
>>  http://schemas.xmlsoap.org/ws/2004/08/addressing/
>> role/anonymous
>>  urn:uuid:8904e3e1-9aea-4271-bac1-c99c52ce641f
>> 
>>  http://schemas.xmlsoap.org/ws/2004/08/addressing
>> /fault
>>  urn:uuid:c514e93f-6a96-4640-8304-400320f95d5a
>> 
>>   
>>   http://docs.oasis-o
>> pen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="Id-1962192193">
>>  http://www.w3
>> .org/2003/05/soap-envelope">
>> 
>>axis2ns11:Sender
>>
>>   http://docs.o
>> asis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> ">axis2ns12:FailedCheck
>>
>> 
>> 
>>The signature or decryption
>> was invalid (The provided certificate is invalid); nested exception is:
>> java.security.cert.CertificateExpiredException: NotAfter: Mon Jul 01
>> 15:53:52 IST 2013
>> 11
>> 32
>>  
>>   
>>
>>
>> Similar kind of issue reported in [1] as well.
>>
>>
>>
>>
>>
>> *[1]
>> https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation
>> <https://docs.wso2.com/display/IS510/Accessing+Claim+Aware+Services+using+STS+Secured+with+Non-repudiation>[2]https://github.com/wso2/product-is/tree/v5.1.0/modules/samples/sts/sts-client
>> <https://github.com/wso2/product-is/tree/v5.1.0/modules/samples/sts/sts-client>[3]
>> https://wso2.org/jira/si/jira.issueviews:issue-html/WSAS-957/WSAS-957.html
>> <https://wso2.org/jira/si/jira.issueviews:issue-html/WSAS-957/WSAS-957.html>*
>>
>> --
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Ashen Weerathunga*
> Software Engineer
> WSO2 Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Email: as...@wso2.com
> Mobile: +94716042995 <94716042995>
> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
> <http://lk.linkedin.com/in/ashenweerathunga>*
> <http://wso2.com/signature>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Step to retrive username to find out phone number in SMSOTP

2016-12-20 Thread Hasintha Indrajee

Previous step is just a special case for "any step". So the correct
behaviour should be it I guess.

On Tue, Dec 20, 2016 at 12:46 PM, Kathees Rajendram <kath...@wso2.com>
wrote:

> Hi Hasintha,
>
> In first step of two factor authenticators (SMS OTP,  TOTP, Email OTP,
> etc), we get user name from previous step. Since you have a requirement to
> configure multi step authentication with SMS OTP authenticator and select
> the step as an option, we need to introduce a new parameter in
> application-authenticator.xml for each authenticators to select the step
> and improve.
>
> Thanks,
> Kathees
>
> On Tue, Dec 20, 2016 at 12:00 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> When I go through SMSOTP, found out that we are getting authenticated
>> user from the *previous* step which causes to loose the flexibility to
>> get the user from any other step. I think this is not the correct behaviour
>> and the behaviour should be like following.
>>
>> We need to find a local user before sending out mobile verification code
>> to the mobile number which is associated with that particular local user.
>> This user can be a user who comes from any step. The step can be a local
>> step or a federated step. If it is a federated step an account association
>> has to be present for that particular federated user.
>>
>> Above behaviour is already there in the implementation of [1]. What we
>> lack is the ability to define this step which we need to use to get the
>> username for mobile number discovery.
>>
>> Ideally we can't restrict to get user from subject step or any other
>> fixed step. We should give the flexibility to choose any step to get local
>> user. So my option for this is to give an authentiacator configuration to
>> decide which step should be used to discover the associated local user and
>> his mobile number.
>>
>> WDYT ?
>>
>> [1] https://github.com/wso2-extensions/identity-extension-ut
>> ils/blob/master/component/helper/src/main/java/org/wso2/carb
>> on/extension/identity/helper/FederatedAuthenticator.java#L343
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453 <077%20189%202453>
>>
>>
>
>
> --
> Kathees
> Software Engineer,
> email: kath...@wso2.com
> mobile: +94772596173 <077%20259%206173>
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS is not working when the application is a SaaS app

2016-11-18 Thread Hasintha Indrajee

Hi Kathees,

As per offline discussion with you the issue is there and need to be fixed.
Apart from that I couldn't change the subject claim using "Subject Claim
URI:". Can we get this fixed please ?

On Wed, Nov 16, 2016 at 5:19 PM, Kathees Rajendram <kath...@wso2.com> wrote:

>
>
> On Wed, Nov 16, 2016 at 5:03 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> This is with a custom claim mapping right ?. I couldn't get requested
>> claim without a custom claim mapping. Is there anything I am overlooking ?
>>
>
> Yes. I checked SAML2 service provider claim mapping and it works same.
> Please correct me if it is wrong.
>
>>
>>
>> On Wed, Nov 16, 2016 at 5:01 PM, Kathees Rajendram <kath...@wso2.com>
>> wrote:
>>
>>> Hi Hasintha
>>>
>>> On Wed, Nov 16, 2016 at 12:54 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Nov 16, 2016 at 12:25 PM, Hasintha Indrajee <hasin...@wso2.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 15, 2016 at 5:41 PM, Hasintha Indrajee <hasin...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Please find the below fix for this issue. This includes an API
>>>>>> change. Please review and merge this fix.
>>>>>>
>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>> -cas/pull/10
>>>>>>
>>>>>
>>>>> This fix only returns subject. I think we need to improve it to return
>>>>> attributes as well.
>>>>>
>>>>
>>>> Sorry. Not getting attributes is a general behaviour I have observed
>>>> for super tenant users as well. I configured requested claims and still
>>>> couldn't get user claims. There seems to be an issue.
>>>>
>>>
>>> I was able to get the attributes with your fix by enabling "Requested
>>> Claim" check box in service provider. Please check and confirm.
>>>
>>> 
>>>
>>>>
>>>>>> On Tue, Nov 15, 2016 at 2:52 PM, Malaka Silva <mal...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Kanapriya can you have a quick look and update with findings please?
>>>>>>>
>>>>>>> On Tue, Nov 15, 2016 at 11:33 AM, Hasintha Indrajee <
>>>>>>> hasin...@wso2.com> wrote:
>>>>>>>
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> CAS is not working when we register a SaaS application and when I
>>>>>>>> am trying to login from a different tenant user. This should be 
>>>>>>>> supported
>>>>>>>> by CAS authentication as it is a basic requirement.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Hasintha Indrajee
>>>>>>>> WSO2, Inc.
>>>>>>>> Mobile:+94 771892453
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Best Regards,
>>>>>>>
>>>>>>> Malaka Silva
>>>>>>> Senior Technical Lead
>>>>>>> M: +94 777 219 791
>>>>>>> Tel : 94 11 214 5345
>>>>>>> Fax :94 11 2145300
>>>>>>> Skype : malaka.sampath.silva
>>>>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>>>>>>> Blog : http://mrmalakasilva.blogspot.com/
>>>>>>>
>>>>>>> WSO2, Inc.
>>>>>>> lean . enterprise . middleware
>>>>>>> https://wso2.com/signature
>>>>>>> http://www.wso2.com/about/team/malaka-silva/
>>>>>>> <http://wso2.com/about/team/malaka-silva/>
>>>>>>> https://store.wso2.com/store/
>>>>>>>
>>>>>>> Don't make Trees rare, we should keep them with care
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Hasintha Indrajee
>>>>>> WSO2, Inc.
>>>>>> Mobile:+94 771892453
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Hasintha Indrajee
>>>>> WSO2, Inc.
>>>>> Mobile:+94 771892453
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
>>>>
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Kathees
>>> Software Engineer,
>>> email: kath...@wso2.com
>>> mobile: +94772596173
>>>
>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>
>
> --
> Kathees
> Software Engineer,
> email: kath...@wso2.com
> mobile: +94772596173
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS is not working when the application is a SaaS app

2016-11-16 Thread Hasintha Indrajee

This is with a custom claim mapping right ?. I couldn't get requested claim
without a custom claim mapping. Is there anything I am overlooking ?

On Wed, Nov 16, 2016 at 5:01 PM, Kathees Rajendram <kath...@wso2.com> wrote:

> Hi Hasintha
>
> On Wed, Nov 16, 2016 at 12:54 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>>
>>
>> On Wed, Nov 16, 2016 at 12:25 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Tue, Nov 15, 2016 at 5:41 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Please find the below fix for this issue. This includes an API change.
>>>> Please review and merge this fix.
>>>>
>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>> -cas/pull/10
>>>>
>>>
>>> This fix only returns subject. I think we need to improve it to return
>>> attributes as well.
>>>
>>
>> Sorry. Not getting attributes is a general behaviour I have observed for
>> super tenant users as well. I configured requested claims and still
>> couldn't get user claims. There seems to be an issue.
>>
>
> I was able to get the attributes with your fix by enabling "Requested
> Claim" check box in service provider. Please check and confirm.
>
> 
>
>>
>>>> On Tue, Nov 15, 2016 at 2:52 PM, Malaka Silva <mal...@wso2.com> wrote:
>>>>
>>>>> Kanapriya can you have a quick look and update with findings please?
>>>>>
>>>>> On Tue, Nov 15, 2016 at 11:33 AM, Hasintha Indrajee <hasin...@wso2.com
>>>>> > wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> CAS is not working when we register a SaaS application and when I am
>>>>>> trying to login from a different tenant user. This should be supported by
>>>>>> CAS authentication as it is a basic requirement.
>>>>>>
>>>>>> --
>>>>>> Hasintha Indrajee
>>>>>> WSO2, Inc.
>>>>>> Mobile:+94 771892453
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Malaka Silva
>>>>> Senior Technical Lead
>>>>> M: +94 777 219 791
>>>>> Tel : 94 11 214 5345
>>>>> Fax :94 11 2145300
>>>>> Skype : malaka.sampath.silva
>>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>>>>> Blog : http://mrmalakasilva.blogspot.com/
>>>>>
>>>>> WSO2, Inc.
>>>>> lean . enterprise . middleware
>>>>> https://wso2.com/signature
>>>>> http://www.wso2.com/about/team/malaka-silva/
>>>>> <http://wso2.com/about/team/malaka-silva/>
>>>>> https://store.wso2.com/store/
>>>>>
>>>>> Don't make Trees rare, we should keep them with care
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
>>>>
>>>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453
>>>
>>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Kathees
> Software Engineer,
> email: kath...@wso2.com
> mobile: +94772596173
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS is not working when the application is a SaaS app

On Wed, Nov 16, 2016 at 12:25 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

>
>
> On Tue, Nov 15, 2016 at 5:41 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> Please find the below fix for this issue. This includes an API change.
>> Please review and merge this fix.
>>
>> [1] https://github.com/wso2-extensions/identity-inbound-auth-cas/pull/10
>>
>
> This fix only returns subject. I think we need to improve it to return
> attributes as well.
>

Sorry. Not getting attributes is a general behaviour I have observed for
super tenant users as well. I configured requested claims and still
couldn't get user claims. There seems to be an issue.

>
>> On Tue, Nov 15, 2016 at 2:52 PM, Malaka Silva <mal...@wso2.com> wrote:
>>
>>> Kanapriya can you have a quick look and update with findings please?
>>>
>>> On Tue, Nov 15, 2016 at 11:33 AM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> CAS is not working when we register a SaaS application and when I am
>>>> trying to login from a different tenant user. This should be supported by
>>>> CAS authentication as it is a basic requirement.
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Best Regards,
>>>
>>> Malaka Silva
>>> Senior Technical Lead
>>> M: +94 777 219 791
>>> Tel : 94 11 214 5345
>>> Fax :94 11 2145300
>>> Skype : malaka.sampath.silva
>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>>> Blog : http://mrmalakasilva.blogspot.com/
>>>
>>> WSO2, Inc.
>>> lean . enterprise . middleware
>>> https://wso2.com/signature
>>> http://www.wso2.com/about/team/malaka-silva/
>>> <http://wso2.com/about/team/malaka-silva/>
>>> https://store.wso2.com/store/
>>>
>>> Don't make Trees rare, we should keep them with care
>>>
>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS is not working when the application is a SaaS app

On Tue, Nov 15, 2016 at 5:41 PM, Hasintha Indrajee <hasin...@wso2.com>
wrote:

> Hi all,
>
> Please find the below fix for this issue. This includes an API change.
> Please review and merge this fix.
>
> [1] https://github.com/wso2-extensions/identity-inbound-auth-cas/pull/10
>

This fix only returns subject. I think we need to improve it to return
attributes as well.

>
> On Tue, Nov 15, 2016 at 2:52 PM, Malaka Silva <mal...@wso2.com> wrote:
>
>> Kanapriya can you have a quick look and update with findings please?
>>
>> On Tue, Nov 15, 2016 at 11:33 AM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> CAS is not working when we register a SaaS application and when I am
>>> trying to login from a different tenant user. This should be supported by
>>> CAS authentication as it is a basic requirement.
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453
>>>
>>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Malaka Silva
>> Senior Technical Lead
>> M: +94 777 219 791
>> Tel : 94 11 214 5345
>> Fax :94 11 2145300
>> Skype : malaka.sampath.silva
>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>> Blog : http://mrmalakasilva.blogspot.com/
>>
>> WSO2, Inc.
>> lean . enterprise . middleware
>> https://wso2.com/signature
>> http://www.wso2.com/about/team/malaka-silva/
>> <http://wso2.com/about/team/malaka-silva/>
>> https://store.wso2.com/store/
>>
>> Don't make Trees rare, we should keep them with care
>>
>
>
>
> --
> Hasintha Indrajee
> WSO2, Inc.
> Mobile:+94 771892453
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS is not working when the application is a SaaS app

Hi Kathees,

Before releasing this can you please check whether claim mappings are
working ? ie if we configure a different subject claim it should be there
as the subject. I think this is a valid basic requirement.

On Wed, Nov 16, 2016 at 9:44 AM, Kathees Rajendram <kath...@wso2.com> wrote:

> Yes. Will release a version of CAS inbound with this fix.
>
>
> Thanks,
> Kathees
>
> On Wed, Nov 16, 2016 at 8:22 AM, Malaka Silva <mal...@wso2.com> wrote:
>
>> Hi Kathees,
>>
>> Can you check this and release the fix to store please?
>>
>> On Tue, Nov 15, 2016 at 10:36 PM, Kanapriya Kuleswararajan <
>> kanapr...@wso2.com> wrote:
>>
>>> Hi Malaka,
>>>
>>> I have tested existing cas-inbound-authenticator by enable the SaaS
>>> application in super tenant domain and try to login from different tenant
>>> domain. But I couldn't login with different tenant domain.
>>>
>>> I checked with above fix also, It works fine when the application is a
>>> SaaS app.
>>>
>>> Thanks
>>>
>>> Kanapriya Kuleswararajan
>>> Associate Software Engineer
>>> Mobile : - 0774894438
>>> Mail : - kanapr...@wso2.com
>>>
>>> On Tue, Nov 15, 2016 at 5:41 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Please find the below fix for this issue. This includes an API change.
>>>> Please review and merge this fix.
>>>>
>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>> -cas/pull/10
>>>>
>>>> On Tue, Nov 15, 2016 at 2:52 PM, Malaka Silva <mal...@wso2.com> wrote:
>>>>
>>>>> Kanapriya can you have a quick look and update with findings please?
>>>>>
>>>>> On Tue, Nov 15, 2016 at 11:33 AM, Hasintha Indrajee <hasin...@wso2.com
>>>>> > wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> CAS is not working when we register a SaaS application and when I am
>>>>>> trying to login from a different tenant user. This should be supported by
>>>>>> CAS authentication as it is a basic requirement.
>>>>>>
>>>>>> --
>>>>>> Hasintha Indrajee
>>>>>> WSO2, Inc.
>>>>>> Mobile:+94 771892453
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> Malaka Silva
>>>>> Senior Technical Lead
>>>>> M: +94 777 219 791
>>>>> Tel : 94 11 214 5345
>>>>> Fax :94 11 2145300
>>>>> Skype : malaka.sampath.silva
>>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>>>>> Blog : http://mrmalakasilva.blogspot.com/
>>>>>
>>>>> WSO2, Inc.
>>>>> lean . enterprise . middleware
>>>>> https://wso2.com/signature
>>>>> http://www.wso2.com/about/team/malaka-silva/
>>>>> <http://wso2.com/about/team/malaka-silva/>
>>>>> https://store.wso2.com/store/
>>>>>
>>>>> Don't make Trees rare, we should keep them with care
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
>>>>
>>>>
>>>
>>
>>
>> --
>>
>> Best Regards,
>>
>> Malaka Silva
>> Senior Technical Lead
>> M: +94 777 219 791
>> Tel : 94 11 214 5345
>> Fax :94 11 2145300
>> Skype : malaka.sampath.silva
>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
>> Blog : http://mrmalakasilva.blogspot.com/
>>
>> WSO2, Inc.
>> lean . enterprise . middleware
>> https://wso2.com/signature
>> http://www.wso2.com/about/team/malaka-silva/
>> <http://wso2.com/about/team/malaka-silva/>
>> https://store.wso2.com/store/
>>
>> Don't make Trees rare, we should keep them with care
>>
>
>
>
> --
> Kathees
> Software Engineer,
> email: kath...@wso2.com
> mobile: +94772596173
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS is not working when the application is a SaaS app

Hi all,

Please find the below fix for this issue. This includes an API change.
Please review and merge this fix.

[1] https://github.com/wso2-extensions/identity-inbound-auth-cas/pull/10

On Tue, Nov 15, 2016 at 2:52 PM, Malaka Silva <mal...@wso2.com> wrote:

> Kanapriya can you have a quick look and update with findings please?
>
> On Tue, Nov 15, 2016 at 11:33 AM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi All,
>>
>> CAS is not working when we register a SaaS application and when I am
>> trying to login from a different tenant user. This should be supported by
>> CAS authentication as it is a basic requirement.
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>
>
> --
>
> Best Regards,
>
> Malaka Silva
> Senior Technical Lead
> M: +94 777 219 791
> Tel : 94 11 214 5345
> Fax :94 11 2145300
> Skype : malaka.sampath.silva
> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
> Blog : http://mrmalakasilva.blogspot.com/
>
> WSO2, Inc.
> lean . enterprise . middleware
> https://wso2.com/signature
> http://www.wso2.com/about/team/malaka-silva/
> <http://wso2.com/about/team/malaka-silva/>
> https://store.wso2.com/store/
>
> Don't make Trees rare, we should keep them with care
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] CAS is not working when the application is a SaaS app

2016-11-14 Thread Hasintha Indrajee

Hi All,

CAS is not working when we register a SaaS application and when I am trying
to login from a different tenant user. This should be supported by CAS
authentication as it is a basic requirement.

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS connector doesnt work with federated authenticators.

2016-11-01 Thread Hasintha Indrajee

Hi Harsha,

Following are the resources you can get information about CAS (Provided by
Kanapriya)

https://docs.wso2.com/display/ISCONNECTORS/CAS+Inbound+Authenticator
https://github.com/wso2-extensions/identity-inbound-auth-cas/pull/2
https://github.com/apereo/cas/blob/master/docs/cas-server-do
cumentation/protocol/CAS-Protocol-Specification.md
https://github.com/UniconLabs/cas-sample-java-webapp
https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+
CAS+Client+for+Java+in+the+web.xml

On Tue, Nov 1, 2016 at 7:56 PM, Harsha Thirimanna <hars...@wso2.com> wrote:

> Hi Hasintha,
>
> Did you get any documentation for this to know the request and
> configuration details with CAS ?
>
> *Harsha Thirimanna*
> Associate Tech Lead | WSO2
>
> Email: hars...@wso2.com
> Mob: +94715186770
> Blog: http://harshathirimanna.blogspot.com/
> Twitter: http://twitter.com/harshathirimann
> Linked-In: linked-in: http://www.linkedin.com/pub/
> harsha-thirimanna/10/ab8/122
> <http://wso2.com/signature>
>
> On Tue, Nov 1, 2016 at 5:52 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi,
>>
>> I was trying to login through CAS as inbound protocol and I used facebook
>> as a federated authenticator. This scenario didn't work, It always prompt
>> me Identity Server's basic auth login page. Aren't we supporting this case
>> ? Ideally we should support this right ?. Or am I missing something here ?
>>
>> Also Do we have any idea to implement "samlValidate" in CAS near future ?
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CAS connector doesnt work with federated authenticators.

2016-11-01 Thread Hasintha Indrajee

If this is the case then we should fix this in the sample cas client webapp.

On Tue, Nov 1, 2016 at 9:28 PM, Harsha Thirimanna <hars...@wso2.com> wrote:

> So in your case, I feel like there should be missing the relyingParty
> value to pick the correct service provider to get the configured
> authentication options.
>
> *Harsha Thirimanna*
> Associate Tech Lead | WSO2
>
> Email: hars...@wso2.com
> Mob: +94715186770
> Blog: http://harshathirimanna.blogspot.com/
> Twitter: http://twitter.com/harshathirimann
> Linked-In: linked-in: http://www.linkedin.com/pub/
> harsha-thirimanna/10/ab8/122
> <http://wso2.com/signature>
>
> On Tue, Nov 1, 2016 at 9:15 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi Harsha,
>>
>> Following are the resources you can get information about CAS (Provided
>> by Kanapriya)
>>
>> https://docs.wso2.com/display/ISCONNECTORS/CAS+Inbound+Authenticator
>> https://github.com/wso2-extensions/identity-inbound-auth-cas/pull/2
>> https://github.com/apereo/cas/blob/master/docs/cas-server-do
>> cumentation/protocol/CAS-Protocol-Specification.md
>> https://github.com/UniconLabs/cas-sample-java-webapp
>> https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CA
>> S+Client+for+Java+in+the+web.xml
>>
>> On Tue, Nov 1, 2016 at 7:56 PM, Harsha Thirimanna <hars...@wso2.com>
>> wrote:
>>
>>> Hi Hasintha,
>>>
>>> Did you get any documentation for this to know the request and
>>> configuration details with CAS ?
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead | WSO2
>>>
>>> Email: hars...@wso2.com
>>> Mob: +94715186770
>>> Blog: http://harshathirimanna.blogspot.com/
>>> Twitter: http://twitter.com/harshathirimann
>>> Linked-In: linked-in: http://www.linkedin.com/pub/ha
>>> rsha-thirimanna/10/ab8/122
>>> <http://wso2.com/signature>
>>>
>>> On Tue, Nov 1, 2016 at 5:52 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I was trying to login through CAS as inbound protocol and I used
>>>> facebook as a federated authenticator. This scenario didn't work, It always
>>>> prompt me Identity Server's basic auth login page. Aren't we supporting
>>>> this case ? Ideally we should support this right ?. Or am I missing
>>>> something here ?
>>>>
>>>> Also Do we have any idea to implement "samlValidate" in CAS near future
>>>> ?
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
>>>>
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] CAS connector doesnt work with federated authenticators.

2016-11-01 Thread Hasintha Indrajee

Hi,

I was trying to login through CAS as inbound protocol and I used facebook
as a federated authenticator. This scenario didn't work, It always prompt
me Identity Server's basic auth login page. Aren't we supporting this case
? Ideally we should support this right ?. Or am I missing something here ?

Also Do we have any idea to implement "samlValidate" in CAS near future ?

-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Update Links in WSO2 Identity Server Analytics page in GitHub.

2016-10-26 Thread Hasintha Indrajee

Hi Danoja.

Thanks for pointing out.

"WSO2 Identity Server Analytics can be used to monitor authentication
related analytics for residence and federated authentication scenarios."

Along with that PR, It would be nice if you can change the above statement
to the following and link "WSO2 Identity Server" to Identity Server page.

"WSO2 Identity Server Analytics can be used to monitor authentication
related analytics for residence and federated authentication scenarios of
WSO2 Identity Server"

On Wed, Oct 26, 2016 at 12:21 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote:

> Thanks Danoja for pointing out.
> Looks like the markdown syntax is wrong on the link.
> Would you be able to rectify it and send a PR?
>
> Cheers,
> Ruwan
>
> On Wed, Oct 26, 2016 at 12:01 PM, Danoja Dias <dan...@wso2.com> wrote:
>
>> Hi,
>>
>> The link to WSO2 DAS that is appeared in the README.md file in
>> https://github.com/wso2/analytics-is does not work. When I try to access
>> it, it fails with a message "Page not found".
>>
>> I think it would be nice to update that link.
>>
>> --
>> Regards,
>> Danoja Dias
>> Intern Software Engineering - WSO2
>>
>> Email : dan...@wso2.com
>> Mobile : +94771160393
>>
>> [image: http://wso2.com/signature] <http://wso2.com/signature>
>>
>
>
>
> --
>
> *Ruwan Abeykoon*
> *Associate Director/Architect**,*
> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
> *lean.enterprise.middleware.*
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.2.0- RC1

2016-09-13 Thread Hasintha Indrajee

Tested IS Analytics including


   1. Enabling and disabling analytics (publishers),
   2. Data publishing through publishers.
   3. Analytics Dashboard functionalities.
   4. Session Analytics
   5. Login Analytics


   -  Variation over time
   -  Drilling down from different attributes
   -  Content of data table

No blocking issues found.
[+] Stable - go ahead and release


On Sat, Sep 10, 2016 at 7:48 AM, Kasun Bandara <kas...@wso2.com> wrote:

> Hi All,
>
> This is the 1st Release Candidate of WSO2 Identity Server 5.2.0
>
> Please download, test the product and vote. Vote will be open for 72 hours
> or as needed.
>
> This release fixes the following issues:
> https://wso2.org/jira/issues/?filter=13329
>
> Source and distribution
>
> Run-time   : https://github.com/wso2/product-is/releases/tag/v5.2.
> 0-rc1
> Analytics   : https://github.com/wso2/analytics-is/releases/tag/v5.
> 2.0-rc1
>
> Please vote as follows.
> [+] Stable - go ahead and release
> [-] Broken - do not release (explain why)
>
> Thanks,
> - WSO2 Identity Server Team -
>
> --
> Kasun Bandara
> *Software Engineer*
> Mobile : +94 (0) 718 338 360
> <%2B94%20%280%29%20773%20451194>
> kas...@wso2.com <thili...@wso2.com>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Error while accessing dashboard from host name

2016-08-16 Thread Hasintha Indrajee

Caused by: org.mozilla.javascript.WrappedException: Wrapped
org.apache.axis2.AxisFault: hostname in certificate didn't match:
 !=  (/portal/modules/api.js#28)
at org.mozilla.javascript.Context.throwAsScriptRuntimeEx(Context.java:1754)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:148)
at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)
at
org.jaggeryjs.rhino.portal.modules.c7._c_anonymous_1(/portal/modules/api.js:28)
at org.jaggeryjs.rhino.portal.modules.c7.call(/portal/modules/api.js)
at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42)
at
org.jaggeryjs.rhino.portal.controllers.apis.c0._c_anonymous_1(/portal/controllers/apis/login.jag:76)
at
org.jaggeryjs.rhino.portal.controllers.apis.c0.call(/portal/controllers/apis/login.jag)
at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23)
at
org.jaggeryjs.rhino.portal.controllers.apis.c0._c_script_0(/portal/controllers/apis/login.jag:18)
at
org.jaggeryjs.rhino.portal.controllers.apis.c0.call(/portal/controllers/apis/login.jag)
at
org.jaggeryjs.rhino.portal.controllers.apis.c0.exec(/portal/controllers/apis/login.jag)
at
org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567)
... 82 more
Caused by: org.apache.axis2.AxisFault: hostname in certificate didn't
match:  != 
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451)
at
org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at
org.wso2.carbon.authenticator.stub.AuthenticationAdminStub.login(AuthenticationAdminStub.java:659)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
... 94 more
Caused by: javax.net.ssl.SSLException: hostname in certificate didn't
match:  != 
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:341)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:277)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:260)
at
org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:169)
at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at
org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:659)
at
org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195)
... 107 more




-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] IS-Analytics - Hiding 'Internal/Everyone' and 'Application' roles in "Roles" gadget.

2016-08-08 Thread Hasintha Indrajee

Hi all,

We have following concerns about roles when showing in gadgets in IS
analytics.

In IS analytics do we need show 'Application' roles in top roles gadget ?.
For an example do we need to show  "Application/travelocity" role as a top
role in role gadget if the count is high ? We have following two options.

1) Avoid sending out 'Application' roles to DAS side from IS - If we follow
this option we will not be able to drill down from these roles as well.

2) Hide it in the top roles gadget and just allow to drill down from it if
the admin wants, using filter option. (So this will not show in top roles
gadget even if the count is very high, But can be used to drill down from)

Second concern is, since we have Internal/Everyone role for all users shall
we avoid showing it in top roles ? If we show it it, will be the most
frequent and highly involved role of users. Again we have above stated two
options for this as well.

I think 2nd option is more meaningful and useful for both above scenarios.
WDYT ?
-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] IS Analytics - Handling zero values in Login Attempts over Time chart

2016-07-25 Thread Hasintha Indrajee

On Mon, Jul 25, 2016 at 11:14 AM, Mohanadarshan Vivekanandalingam <
mo...@wso2.com> wrote:

> I prefer the figure [2] which shows 0 values since it gives more
> meaningful information to the user..
>
> +1 for displaying as in figure [2] which is more meaningful.
>
>
> Thanks,
> Mohan
>
>
> On Mon, Jul 25, 2016 at 11:08 AM, Manorama Perera <manor...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> In Authentication dashboard we show login attempts using an area chart.
>> The current implementation of this chart doesn't show zero values when
>> there are no login attempts corresponding to some points of time within the
>> selected period of time.
>>
>> For example, as described in [1], consider following scenario where we
>> have login events from 10.10 AM to 10.25 AM
>>
>> From 10.10 - 10.13 - There are some login attempts
>> From 10.14 - 10.17 - *Zero login attempts*
>> From 10.18 - 10.25 - Some login attempts
>>
>> Currently we are showing the above information in the chart as follows,
>>
>> [image: Inline image 1]
>>
>> In this chart we are not showing the information about the zero login
>> attempts.
>>
>> In order to show these information, we have changed the chart as below,
>>
>> [image: Inline image 2]
>>
>> Now it is showing the zero login attempts. But the chart now is divided
>> into two areas.
>>
>> What is the better way to draw chart when we have zero login attempts.
>> Appreciate any suggestions and opinions on this.
>>
>> [1] https://wso2.org/jira/browse/ANLYIS-64
>>
>> Thanks
>> --
>> Manorama Perera
>> Software Engineer
>> WSO2, Inc.;  http://wso2.com/
>> Mobile : +94716436216
>>
>
>
>
> --
> *V. Mohanadarshan*
> *Associate Tech Lead,*
> *Data Technologies Team,*
> *WSO2, Inc. http://wso2.com <http://wso2.com> *
> *lean.enterprise.middleware.*
>
> email: mo...@wso2.com
> phone:(+94) 771117673
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS-Analytics] Tenant domain of a login event using SaaS applicatioin.

2016-07-20 Thread Hasintha Indrajee

Thanks for your inputs. BTW what about Session Data ?. Do we need to
publish session data also to both tenants ?

On Fri, Jul 15, 2016 at 8:54 PM, Johann Nallathamby <joh...@wso2.com> wrote:

> I also think it is good to publish to two tenants. However we need to
> validate if there are any security concerns.
>
> E.g. let's say user John belonging to foo.com logs into travelocity.com
> registered in bar.com. Tenant admin of foo.com should see it as a login
> attempt in his dashboard, by one of his users for an application outside
> his domain, and tenant admin of bar.com also should see it in his
> dashboard, as a login attempt from a user outside his domain to one of his
> apps.
>
> On Fri, Jul 15, 2016 at 5:47 PM, Darshana Gunawardana <darsh...@wso2.com>
> wrote:
>
>>
>>
>> On Fri, Jul 15, 2016 at 3:47 PM, Hasintha Indrajee <hasin...@wso2.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> For SaaS application what is the tenant domain related to a login event
>>> ? Is that the tenant domain which the SP is registered or is that the
>>> logged in user's tenant domain ?.
>>>
>>> If we consider sending out tenant domain as just a record, it's fine to
>>> add either (reasonable). But the problem is we need a specific tenant
>>> domain to publish this event. According to the current way of event
>>> publishing to the DAS, we need to start a tenant flow before publishing. In
>>> this case we need a specific tenant domain to publish this event. Or else
>>> do we need to publish this event to both tenant domains (starting two
>>> tenant flows) in a case of SaaS app ?.
>>>
>>
>> +1
>>
>>>
>>>
>>>
>>> --
>>> Hasintha Indrajee
>>> WSO2, Inc.
>>> Mobile:+94 771892453
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>>
>> *Darshana Gunawardana*Associate Technical Lead
>> WSO2 Inc.; http://wso2.com
>>
>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Technical Lead & Product Lead of WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS-Analytics] Tenant domain of a login event using SaaS applicatioin.

2016-07-15 Thread Hasintha Indrajee

Hi All,

For SaaS application what is the tenant domain related to a login event ?
Is that the tenant domain which the SP is registered or is that the logged
in user's tenant domain ?.

If we consider sending out tenant domain as just a record, it's fine to add
either (reasonable). But the problem is we need a specific tenant domain to
publish this event. According to the current way of event publishing to the
DAS, we need to start a tenant flow before publishing. In this case we need
a specific tenant domain to publish this event. Or else do we need to
publish this event to both tenant domains (starting two tenant flows) in a
case of SaaS app ?.



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] "Error 403 - Forbidden" when session expires in admin console

2016-07-06 Thread Hasintha Indrajee

Hi all,

When trying to perform operations through admin console, once the session
is expired we are getting a 403 from admin console. Seems like this occurs
due to CSRF filter blocking the request since the session is no longer
available at the server side.

[2016-07-06 15:34:27,576]  WARN {org.owasp.csrfguard.log.JavaLogger} -
potential cross-site request forgery (CSRF) attack thwarted
(user:, ip:127.0.0.1, method:POST,
uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token
does not match session token)
-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Adding drill down capabilities to the Area Chart in IS Analytics Server Dashboard

2016-06-30 Thread Hasintha Indrajee

Hi Inosh,

Do we need this new field in session stream as well ?

On Wed, Jun 29, 2016 at 3:13 PM, Nuwandi Wickramasinghe <nuwan...@wso2.com>
wrote:

> Please find the public jira in [1]
>
> [1] https://wso2.org/jira/browse/IDENTITY-4739
>
> On Wed, Jun 29, 2016 at 2:51 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> Had an offline discussion with Nuwandi and following are some points.
>>
>> - We can filter region from IP and provide ability to drill down, but if
>> we follow this approach, region is not shown in the tables. This leads to a
>> different user experience.
>>
>> Since we don't have any other possible solutions as suggested by Mohan,
>> let's go with the first approach. Please create a jira for this and state
>> required changes to the stream definitions.
>>
>> On Wed, Jun 29, 2016 at 12:38 PM, Mohanadarshan Vivekanandalingam <
>> mo...@wso2.com> wrote:
>>
>>> HI Johann & Hasintha,
>>>
>>> Appreciate any feedback on above, then we can implement accordingly and
>>> do some perf tests.. If drill capability is required for Map then we need
>>> to follow above option.. Here, we can
>>>
>>> 1) Change the stream in Identity level and publish
>>> 2) Change at DAS level by adding another attributes in Siddhi scope..
>>>
>>> But, I like to avoid option [2] to avoid unnecessary event conversions
>>> (which impact the TPS).. Then, option [1] is the only solution in this
>>> case..
>>>
>>> Thanks,
>>> Mohan
>>>
>>>
>>> On Tue, Jun 28, 2016 at 4:16 PM, Nuwandi Wickramasinghe <
>>> nuwan...@wso2.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> IS Analytics dashboard contains a map in which we have marked the
>>>> regions of users who have authenticated through Identity Server. Our
>>>> concern is whether we should allow to drill down from this map.
>>>>
>>>> Normally when drilling down from a gadget, in the dashboard we only
>>>> show the data related to that selected field. And there's a data table
>>>> below which shows the raw data corresponding to the selected field. This
>>>> data table is populated using the raw stream which is published from
>>>> Identity Server side.
>>>>
>>>> When implementing drill down capabilities from the area chart (map), we
>>>> are facing an issue in populating the data table since the raw data stream
>>>> published from IS contains only the remoteIp (which is used to determine
>>>> the region) but not the region field itself.
>>>>
>>>> Regions and IP addresses have one to many relationship. Which means a
>>>> large range of IPs corresponds to one region. Therefore we can get the
>>>> region from IP but not vise versa. This leaves the issue that we cannot
>>>> search in the raw stream using the region selected from the map.
>>>>
>>>> Suggested solution is to change the raw data stream to contain an
>>>> additional 'region' attribute which could be used to search for the data
>>>> related to a particular region. The value of region for the raw data will
>>>> be sent as 'NOT_AVAILABLE'. We are planning to update this value to the
>>>> correct region according to the remoteIp value using a spark query. We
>>>> considered updating the records from the execution plan but that could
>>>> delay the real time process.
>>>>
>>>> If we are going to implement this, Hasintha will have to introduce the
>>>> new region attribute to the stream with a default value. Also this might
>>>> introduce some performance degrade in the db level.
>>>>
>>>> We are still considering the need of drilling down from the region map.
>>>> Appreciate other opinions regarding the subject.
>>>>
>>>> Thanks
>>>> Nuwandi
>>>>
>>>> --
>>>>
>>>> Best Regards,
>>>>
>>>> Nuwandi Wickramasinghe
>>>>
>>>> Software Engineer
>>>>
>>>> WSO2 Inc.
>>>>
>>>> Web : http://wso2.com
>>>>
>>>> Mobile : 0719214873
>>>>
>>>
>>>
>>>
>>> --
>>> *V. Mohanadarshan*
>>> *Associate Tech Lead,*
>>> *Data Technologies Team,*
>>> *WSO2, Inc. http://wso2.com <http://wso2.com> *
>>> *lean.enterprise.middleware.*
>>>
>>> email: mo...@wso2.com
>>> phone:(+94) 771117673
>>>
>>
>>
>>
>> --
>> Hasintha Indrajee
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>
>
> --
>
> Best Regards,
>
> Nuwandi Wickramasinghe
>
> Software Engineer
>
> WSO2 Inc.
>
> Web : http://wso2.com
>
> Mobile : 0719214873
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Adding drill down capabilities to the Area Chart in IS Analytics Server Dashboard

2016-06-29 Thread Hasintha Indrajee

Hi all,

Had an offline discussion with Nuwandi and following are some points.

- We can filter region from IP and provide ability to drill down, but if we
follow this approach, region is not shown in the tables. This leads to a
different user experience.

Since we don't have any other possible solutions as suggested by Mohan,
let's go with the first approach. Please create a jira for this and state
required changes to the stream definitions.

On Wed, Jun 29, 2016 at 12:38 PM, Mohanadarshan Vivekanandalingam <
mo...@wso2.com> wrote:

> HI Johann & Hasintha,
>
> Appreciate any feedback on above, then we can implement accordingly and do
> some perf tests.. If drill capability is required for Map then we need to
> follow above option.. Here, we can
>
> 1) Change the stream in Identity level and publish
> 2) Change at DAS level by adding another attributes in Siddhi scope..
>
> But, I like to avoid option [2] to avoid unnecessary event conversions
> (which impact the TPS).. Then, option [1] is the only solution in this
> case..
>
> Thanks,
> Mohan
>
>
> On Tue, Jun 28, 2016 at 4:16 PM, Nuwandi Wickramasinghe <nuwan...@wso2.com
> > wrote:
>
>> Hi all,
>>
>> IS Analytics dashboard contains a map in which we have marked the regions
>> of users who have authenticated through Identity Server. Our concern is
>> whether we should allow to drill down from this map.
>>
>> Normally when drilling down from a gadget, in the dashboard we only show
>> the data related to that selected field. And there's a data table below
>> which shows the raw data corresponding to the selected field. This data
>> table is populated using the raw stream which is published from Identity
>> Server side.
>>
>> When implementing drill down capabilities from the area chart (map), we
>> are facing an issue in populating the data table since the raw data stream
>> published from IS contains only the remoteIp (which is used to determine
>> the region) but not the region field itself.
>>
>> Regions and IP addresses have one to many relationship. Which means a
>> large range of IPs corresponds to one region. Therefore we can get the
>> region from IP but not vise versa. This leaves the issue that we cannot
>> search in the raw stream using the region selected from the map.
>>
>> Suggested solution is to change the raw data stream to contain an
>> additional 'region' attribute which could be used to search for the data
>> related to a particular region. The value of region for the raw data will
>> be sent as 'NOT_AVAILABLE'. We are planning to update this value to the
>> correct region according to the remoteIp value using a spark query. We
>> considered updating the records from the execution plan but that could
>> delay the real time process.
>>
>> If we are going to implement this, Hasintha will have to introduce the
>> new region attribute to the stream with a default value. Also this might
>> introduce some performance degrade in the db level.
>>
>> We are still considering the need of drilling down from the region map.
>> Appreciate other opinions regarding the subject.
>>
>> Thanks
>> Nuwandi
>>
>> --
>>
>> Best Regards,
>>
>> Nuwandi Wickramasinghe
>>
>> Software Engineer
>>
>> WSO2 Inc.
>>
>> Web : http://wso2.com
>>
>> Mobile : 0719214873
>>
>
>
>
> --
> *V. Mohanadarshan*
> *Associate Tech Lead,*
> *Data Technologies Team,*
> *WSO2, Inc. http://wso2.com <http://wso2.com> *
> *lean.enterprise.middleware.*
>
> email: mo...@wso2.com
> phone:(+94) 771117673
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error when invoking Active STS Request

2016-06-21 Thread Hasintha Indrajee

Services which are secured with policies are stored in registry . Can you
please check whether "rampartConfig" section is there in the policy which
is stored in the registry after applying the policy ? Please check in both
versions.

On Tue, Jun 21, 2016 at 11:34 AM, Kasun Bandara <kas...@wso2.com> wrote:

> Hi all,
>
> I'm attempting $subject on latest IS pack [1] . Below is the sample STS
> request that's I'm attempting.
>
> http://www.w3.org/2003/05/soap-envelope; xmlns:wsa="
> http://www.w3.org/2005/08/addressing;
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy;
> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc; xmlns:wst="
> http://schemas.xmlsoap.org/ws/2005/02/trust;
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd;
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd;
>
> xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL;>
>
>   
> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
>   
> https://localhost:9443/services/wso2carbon-sts.wso2carbon-stsHttpsSoap12Endpoint
> 
>   1454429880
>   
>  
> kasun
> kasun
>  
>  
> 2016-06-02T15:40:01Z
> 2018-02-02T16:23:01Z
>  
>   
>
>
>   
>  
> http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
>  
> 
>urn:federation:MicrosoftOnline
> 
>  
>  
> http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
>   
>
> 
>
>
> I get the following SOAP response error after invoking the above request.
>
> http://www.w3.org/2003/05/soap-envelope;>
>http://www.w3.org/2005/08/addressing;>
>   http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
>  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> 2016-06-21T05:49:42.359Z
> 2016-06-21T05:54:42.359Z
>  
>   
>   http://www.w3.org/2005/08/addressing/soap/fault
> 
>   1454429880
>
>
>   
>  
> soapenv:Receiver
>  
>  
>  xml:lang="en-US">java.lang.NullPointerException
>  
>  
>   
>
> 
>
> In addition to this i can see  following error stack in carbon logs.
>
>
>
>
>
>
>
>
>
>
> *TID: [-1234] [] [2016-06-21 11:19:42,267] ERROR
> {org.apache.axis2.transport.http.AxisServlet} -
> java.lang.NullPointerExceptionat
> org.apache.rampart.PolicyBasedResultsValidator.validate(PolicyBasedResultsValidator.java:93)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:470)at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)at
> org.apache.axis2.engine.Phase.invoke(Phase.java:313)at
> org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)at
> org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173)*
>
> The same request works as expected with a older rampart version. When
> debugging this issue it was found that the Rampart Configuration class
> isn't initiated in the latest pack when starting the server, even though it
> initiates in the older pack. (i.e STS endpoint is secured with a
> UTOverTransport policy)
>
> Appreciate any feedback on this.
>
>
>
> Thanks,
> Kasun.
>
>
> [1]
> http://maven.wso2.org/nexus/content/repositories/snapshots/org/wso2/is/wso2is/5.2.0-SNAPSHOT/
>
>
>
>
>
> --
> Kasun Bandara
> *Software Engineer*
> Mobile : +94 (0) 718 338 360
> <%2B94%20%280%29%20773%20451194>
> kas...@wso2.com <thili...@wso2.com>
>



-- 
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] IS Analytics Issue in showing overall Authentication count when followed multiple step authentication

2016-06-19 Thread Hasintha Indrajee

Hi Damith,

Using isFederated field for this purpose seems not meaningful when it has
value "ALL". Either we may need to change the name of the filed and at the
same time we need to change the type of the field as well.

I would rather suggest to use field "identityProvider" for this purpose.
Currently for the final event we sent out from the framework,
IdentityProvider is not defined. We can use this field to communicate the
type of Identity Provider we used. For an example, if all the IDPs are
federated we can use "FEDERATED", if all the IDPs are local we can use
"LOCAL" and if both cases are involved we can use "FEDERATED,LOCAL". From
analytics side does this have any concerns ?.

Or else we can introduce a new field for this. WDYT ?

On Fri, Jun 17, 2016 at 6:50 PM, Damith Wickramasinghe <dami...@wso2.com>
wrote:

> Hi All,
>
> According to our design for authentication dashboard we have two views
> which are the federated view and resident view. Both view has a gadget
> which shows overall authentication success and failure count.
>
> Issue arises when a user logs in using multi step authentication which
> comprise of both resident and federated authenticators. Previously we
> identified overall authentication success using the event sent by the
> framework IF all the step authenticators are success.
>
> Eg:- If user authenticates with two step authenticators which are type of
> local then for the DAS side we are receiving three events from the
> corresponding authenticator and the framework. To identify that this is a
> not a federated authentication scenario from IS side a boolean attribute is
> sent as isFederated which is false for above scenario.
>
> So in the resident view we will have overall authentication count as 1.
>
> But if user authenticates with two authenticators which are of local and
> federated then again we receive three events but for the event which is
> sent from framework , the isFederated value is *False*. So we have a
> issue of showing overall authentication count for federated view because of
> this.
>
> So the proposing solution is to check if a certain authentication attempt
> involves federated authenticators and if its the case send  a String value
> of "ALL" for isFederated attribute or True or False respectively.
>
> So following above if the user authenticates with two step authentication
> of federated and local(Success scenario) we show in both views that in
> overall, user has one authentication success attempt.
>
> Please raise any concerns on this.
>
> Regards,
> Damith.
>
>
> --
> Software Engineer
> WSO2 Inc.; http://wso2.com
> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
> lean.enterprise.middleware
>
> mobile: *+94728671315 <%2B94728671315>*
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Analytics IS - Handling null or empty Strings to show on respective gadgets

2016-06-08 Thread Hasintha Indrajee

On Thu, Jun 9, 2016 at 7:29 AM, Mohanadarshan Vivekanandalingam <
mo...@wso2.com> wrote:

>
>
> On Thu, Jun 9, 2016 at 2:03 AM, Sriskandarajah Suhothayan <s...@wso2.com>
> wrote:
>
>> I think the way to handle this is by sending some default value, or
>> identify nulls and replacing them with default value.
>> I think the trick here is to find a default value that users cannot
>> create. How about using  "NOT AVAILABLE" with space. I think IS does not
>> allow users to create username with spaces so it will not conflict with any
>> other username.
>>
>
> Yes, we should have a default value for this.. But, I think IS allows to
> have user name with spaces by changing the relevant regex in user-mgt.xml
> file.. Then, we need to think about some unique value where IS does not
> allow..
>

There are situations where Identity server does not have control over
creating users in userstores. These userstores may be plugged in to
different other systems as well.   On the other hand the server admins /
authorized users may also not have control over creating users (self
registration).

>
> Can't we introduce a config file to add this default value ?  Then, it is
> the responsibility of the server-admin to configure it accordingly..
>

Currently we follow this approach.

>
> Thanks,
> Mohan
>
>
>>
>> Regards
>> Suho
>>
>> On Tue, Jun 7, 2016 at 8:29 PM, Mohanadarshan Vivekanandalingam <
>> mo...@wso2.com> wrote:
>>
>>>
>>>
>>> On Tue, Jun 7, 2016 at 6:35 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> Hi Damith,
>>>>
>>>> For the time being we can follow this approach. But this seems like a
>>>> standard problem we may face in other products as well. Any standard way of
>>>> handling this ? Any ideas for handling this issue in future ?
>>>>
>>>>
>>> Hmm, AFAIK above was not became an issue for other analytics
>>> products/usecases ..
>>>
>>> @Srinath and all, do you guys have any suggestions ? what should be the
>>> best approach ?..
>>>
>>> Thanks,
>>> Mohan
>>>
>>>
>>>
>>>> On Tue, Jun 7, 2016 at 12:32 PM, Damith Wickramasinghe <
>>>> dami...@wso2.com> wrote:
>>>>
>>>>> Hi Johann and all,
>>>>>
>>>>> Our decided approach was to send a empty string for all the cases from
>>>>> IS side and from DAS after retrieving data, provide a default string with
>>>>> some style to show that its a special empty case. But in lucene we cannot
>>>>> have empty attributes since they cannot be indexed and search will not 
>>>>> work
>>>>> for them. Our next option is to provide a standard naming for a default
>>>>> value and also provide some configuration in IS to change it if needed.
>>>>> WDYT ?
>>>>>
>>>>> Regards,
>>>>> Damith.
>>>>>
>>>>> On Mon, Jun 6, 2016 at 7:19 PM, Damith Wickramasinghe <
>>>>> dami...@wso2.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> When it comes to authentication scenarios in some cases we cannot
>>>>>> specify roles etc to publishing events eg:- non existing user tried to
>>>>>> login with username and password. Then for the said events roles 
>>>>>> attribute
>>>>>> will be empty/null  .
>>>>>>
>>>>>> Also as discussed with Pulasthi there can be other attributes as well
>>>>>> which can be empty or null. For all those scenarios we need to show a
>>>>>> authentication failure count for all the dimensions of User, Role,
>>>>>> IdentityProvider etc.For that we need a constant String which can be used
>>>>>> to show the respective fail counts.  Having a constant value like
>>>>>> "NOT-AVAILABLE" can be sent from IS side or populated from DAS side but 
>>>>>> any
>>>>>> user can create an username of any sort . eg:NOT-AVAILABLE .So there can 
>>>>>> be
>>>>>> issues in calculating authentication failure counts.
>>>>>>
>>>>>> Any insights on handling such scenarios ?
>>>>>>
>>>>>> Regards,
>>>>>> Damith.
>>>>>>
>>>>>> --
>>>>>&g

Re: [Dev] Analytics IS - Handling null or empty Strings to show on respective gadgets

2016-06-07 Thread Hasintha Indrajee

Hi Damith,

For the time being we can follow this approach. But this seems like a
standard problem we may face in other products as well. Any standard way of
handling this ? Any ideas for handling this issue in future ?

On Tue, Jun 7, 2016 at 12:32 PM, Damith Wickramasinghe <dami...@wso2.com>
wrote:

> Hi Johann and all,
>
> Our decided approach was to send a empty string for all the cases from IS
> side and from DAS after retrieving data, provide a default string with some
> style to show that its a special empty case. But in lucene we cannot have
> empty attributes since they cannot be indexed and search will not work for
> them. Our next option is to provide a standard naming for a default value
> and also provide some configuration in IS to change it if needed. WDYT ?
>
> Regards,
> Damith.
>
> On Mon, Jun 6, 2016 at 7:19 PM, Damith Wickramasinghe <dami...@wso2.com>
> wrote:
>
>> Hi,
>>
>> When it comes to authentication scenarios in some cases we cannot specify
>> roles etc to publishing events eg:- non existing user tried to login with
>> username and password. Then for the said events roles attribute will be
>> empty/null  .
>>
>> Also as discussed with Pulasthi there can be other attributes as well
>> which can be empty or null. For all those scenarios we need to show a
>> authentication failure count for all the dimensions of User, Role,
>> IdentityProvider etc.For that we need a constant String which can be used
>> to show the respective fail counts.  Having a constant value like
>> "NOT-AVAILABLE" can be sent from IS side or populated from DAS side but any
>> user can create an username of any sort . eg:NOT-AVAILABLE .So there can be
>> issues in calculating authentication failure counts.
>>
>> Any insights on handling such scenarios ?
>>
>> Regards,
>> Damith.
>>
>> --
>> Software Engineer
>> WSO2 Inc.; http://wso2.com
>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>> lean.enterprise.middleware
>>
>> mobile: *+94728671315 <%2B94728671315>*
>>
>>
>
>
> --
> Software Engineer
> WSO2 Inc.; http://wso2.com
> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com=D=1=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
> lean.enterprise.middleware
>
> mobile: *+94728671315 <%2B94728671315>*
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.1.0 Released !

2015-12-23 Thread Hasintha Indrajee

ge
   - Just-in-time provisioning
   - Ability to plug-in custom developed provisioning connectors
   - User Dashboard
   - SAML2 Web SSO profile Request / Response validator
   - Remote User Store Management
   - Custom permissions
   - Encrypted SAML2 Assertions
   - NTLM grant type for OAuth 2.0
   - Workflows for user management operations
   - 2 factor authentication with FIDO
   - Linking 2 or more local/federated user accounts

Issues Fixed in This Release

This release of WSO2 Identity Server comes with a number of bug fixes, both
in the base Carbon framework and in the Identity Server specific
components. All the issues which have been fixed in this release can be
found at:

   - Fixed Issues for WSO2 Identity Server 5.1.0
   <https://wso2.org/jira/issues/?filter=12586>

Known Issues

All the known issues in WSO2 Identity Server 5.1.0 are reported at:

   - Known issues in WSO2 Identity Server 5.1.0
   <https://wso2.org/jira/issues/?filter=12587>

How You Can ContributeMailing Lists

Join our mailing list and correspond with the developers directly.

   - Developer list : dev@wso2.org | Subscribe
   <dev-requ...@wso2.org?subject=subscribe> | Mail Archive
   <http://wso2.org/mailarchive/dev/>
   - User forum : StackOverflow
   <http://stackoverflow.com/questions/tagged/wso2>

Reporting Issues

We encourage you to report issues, documentation faults and feature
requests regarding WSO2 Identity Server or in the Carbon base framework
through the public WSO2 Identity Server JIRA
<https://wso2.org/jira/browse/IDENTITY> or Carbon JIRA
<http://www.wso2.org/jira/browse/CARBON>.
Support

We are committed to ensuring that your enterprise middleware deployment is
completely supported from evaluation to production. Our unique approach
ensures that all support leverages our open development methodology and is
provided by the very same engineers who build the technology. For more
details and to take advantage of this unique opportunity
http://wso2.com/support/

For more information about WSO2 Identity Server, please see
http://wso2.com/products/identity-server or visit the WSO2 Oxygen Tank
<http://wso2.org/library> developer portal for additional resources.

Thank you for your interest in WSO2 Identity Server.

*The WSO2 Identity Server Team*

-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 BRS 2.2.0 RC

2015-12-22 Thread Hasintha Indrajee

Hi Firzan,

Please upgrade carbon-identity version to 5.0.7. It includes one critical
fix.

On Wed, Dec 23, 2015 at 11:54 AM, Firzhan Naqash <firz...@wso2.com> wrote:

> We have found some permission issues. Hence we are calling off this vote.
> Once we fixed this issue, I will send a new vote immediately.
>
> Regards,
> Firzhan
>
>
> --
> *Firzhan Naqash*
> Senior Software Engineer - Integration Platform Team
> WSO2 Inc. http://wso2.com
>
> email: firz...@wso2.com
> mobile: (+94) 77 9785674 <%28%2B94%29%2071%205247551>*|
> blog: http://firzhanblogger.blogspot.com/
> <http://firzhanblogger.blogspot.com/>  <http://suhothayan.blogspot.com/>*
> *twitter: https://twitter.com/firzhan007
> <https://twitter.com/firzhan007> | linked-in: 
> **https://www.linkedin.com/in/firzhan
> <https://www.linkedin.com/in/firzhan>*
>
> On Wed, Dec 23, 2015 at 11:13 AM, Isuru Wijesinghe <isur...@wso2.com>
> wrote:
>
>> I have tested all the samples. No issues found.
>>
>> [x] - Stable - Go ahead and release.
>>
>> On Wed, Dec 23, 2015 at 11:02 AM, Vinod Kavinda <vi...@wso2.com> wrote:
>>
>>> I have tested following,
>>> In single node and tenant mode:
>>>-rsl deployment
>>>-aar deployment
>>>-capp deployment
>>>-capp with security policy
>>> In cluster mode
>>>-registry key mode rule creation
>>>-aar deployment
>>>
>>> No issues found.
>>>
>>> [x] - Stable - Go ahead and release.
>>>
>>> Regards,
>>> Vinod
>>>
>>>
>>> On Wed, Dec 23, 2015 at 10:57 AM, Firzhan Naqash <firz...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> I have tested following in single node as well as cluster
>>>>
>>>>  - aar deployment
>>>>  - aar deployment with security policy
>>>>
>>>> No issues found.
>>>>
>>>> [x] - Stable - Go ahead and release.
>>>>
>>>>
>>>> Regards,
>>>> Firzhan
>>>>
>>>>
>>>> --
>>>> *Firzhan Naqash*
>>>> Senior Software Engineer - Integration Platform Team
>>>> WSO2 Inc. http://wso2.com
>>>>
>>>> email: firz...@wso2.com
>>>> mobile: (+94) 77 9785674 <%28%2B94%29%2071%205247551>*|
>>>> blog: http://firzhanblogger.blogspot.com/
>>>> <http://firzhanblogger.blogspot.com/>  <http://suhothayan.blogspot.com/>*
>>>> *twitter: https://twitter.com/firzhan007
>>>> <https://twitter.com/firzhan007> | linked-in: 
>>>> **https://www.linkedin.com/in/firzhan
>>>> <https://www.linkedin.com/in/firzhan>*
>>>>
>>>> On Wed, Dec 23, 2015 at 10:25 AM, Himasha Guruge <himas...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I have tested following.
>>>>> [1]. Load testing against stateless rule services.
>>>>>
>>>>> No issues found.
>>>>>
>>>>> [x] - Stable - Go ahead and release.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Himasha
>>>>>
>>>>> On Tue, Dec 22, 2015 at 8:48 PM, Milinda Perera <milin...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Devs,
>>>>>>
>>>>>> WSO2 BRS 2.2.0 RC Release Vote
>>>>>>
>>>>>> This release fixes the following issues:
>>>>>> https://wso2.org/jira/browse/BRS-134?filter=12526
>>>>>>
>>>>>> Please download BRS 2.2.0 RC and test the functionality and vote.
>>>>>> Vote will be open for 72 hours or as needed.
>>>>>>
>>>>>> Binary distribution at:
>>>>>>
>>>>>> https://svn.wso2.org/repos/wso2/people/milindap/BRS/releases/RC/wso2brs-2.2.0.zip
>>>>>>
>>>>>> Maven staging repository:
>>>>>> http://maven.wso2.org/nexus/content/repositories/orgwso2brs-233/
>>>>>>
>>>>>> The tag to be voted upon :
>>>>>> https://github.com/wso2/product-brs/tree/v2.2.0-RC
>>>>>>
>>>>>>
>>>>>> [-] Broken - do not release (explain why)
>>>>>> [+] Stable - go ahead and release
>>>>>>
>>>>>> Thanks and Regards,
>>>>>> WSO2 BPS/BRS Team
>>>>>>
>>>>>> --
>>>>>> Milinda Perera
>>>>>> Software Engineer;
>>>>>> WSO2 Inc. http://wso2.com ,
>>>>>> Mobile: (+94) 714 115 032
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Himasha Guruge
>>>>> *Software Engineer*
>>>>> WS*O2* *Inc.*
>>>>> Mobile: +94 777459299
>>>>> himas...@wso2.com
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Vinod Kavinda
>>> Software Engineer
>>> *WSO2 Inc. - lean . enterprise . middleware <http://www.wso2.com>.*
>>> Mobile : +94 (0) 712 415544
>>> Blog : http://soatechflicks.blogspot.com/
>>>
>>>
>>
>>
>> --
>> Isuru Wijesinghe
>> *Software Engineer*
>> WSO2 inc : http://wso2.com
>> lean.enterprise.middleware
>> Mobile: 0710933706
>> isur...@wso2.com
>>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC2

2015-12-22 Thread Hasintha Indrajee

Hi all,

Thanks for testing and verifying WSO2 Identity Server 5.1.0 RC2. We are
closing this vote. This vote has passed with 16 +1s and 0 -1s. Therefore we
will proceed with the WSO2 Identity Server 5.1.0 release.

On Wed, Dec 23, 2015 at 12:46 PM, Pandula Kariyawasam <pand...@wso2.com>
wrote:

> Hi All,
>
> I have tested following scenarios and didn't introduce any issues on them.
>
> - login to Office365 via SAML SSO using IS510 (with JDBC Userstore) as IDP.
> - Smoke test on Federation and integration scenarios
>
> [x] - Stable - Go ahead and release.
>
> Thanks,
> Pandula
>
>
> On Wed, Dec 23, 2015 at 12:12 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi All,
>>
>> I have tested following functionalities in both super tenant and tenant
>> mode with email user name enabled/disabled.
>>
>> 1. SCIM (GET/PUT/PATCH operations, SCIM  Extentions, with Basic and OAuth
>> authentication)
>> 2. Provisioning - SCIM
>> 3. Provisioning - Salesforce
>> 4. OAuth/OpenID Connect Federation
>> 5. IdP's default authenticator changes in SP, IDP multi-step
>> authentication
>>
>> No issues found.
>> [x] - Stable - Go ahead and release.
>>
>>
>> On Wed, Dec 23, 2015 at 12:09 PM, Pulasthi Mahawithana <
>> pulast...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> Found no issues with IWA Application and carbon authenticators.
>>>
>>> [x] - Stable - Go ahead and release.
>>>
>>>
>>> On Wed, Dec 23, 2015 at 12:04 PM, Kavitha Subramaniyam <kavi...@wso2.com
>>> > wrote:
>>>
>>>> Hi All,
>>>>
>>>> QA has done smoke test on RC pack and there were no blocking issues
>>>> found. Founded minor severity issues has been reported in jira.
>>>>
>>>>
>>>> Thanks,
>>>> Kavitha.
>>>>
>>>> On Wed, Dec 23, 2015 at 11:46 AM, Gayan Gunawardana <ga...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I have tested following functionalities.
>>>>>
>>>>> 1. Passive STS federation for tenant and super tenant
>>>>> 2. ID token for implicit grant type
>>>>> 3. SCIM patch operation for groups with all basic SCIM operations
>>>>>
>>>>> No issues found.
>>>>>
>>>>> [x] - Stable - Go ahead and release.
>>>>>
>>>>> Thanks,
>>>>> Gayan
>>>>>
>>>>> On Mon, Dec 21, 2015 at 6:29 PM, Hasintha Indrajee <hasin...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Devs,
>>>>>>
>>>>>> This is the second release candidate of WSO2 Identity Server 5.1.0.
>>>>>>
>>>>>> This release fixes the following issues:
>>>>>> https://wso2.org/jira/issues/?filter=12586
>>>>>>
>>>>>> Please download, test and vote.
>>>>>>
>>>>>> Source & binary distribution files:
>>>>>> https://github.com/wso2/product-is/releases/tag/v5.1.0-rc2
>>>>>>
>>>>>> Maven staging repo:
>>>>>> http://maven.wso2.org/nexus/content/repositories/orgwso2is-218/
>>>>>>
>>>>>> The tag to be voted upon:
>>>>>> https://github.com/wso2/product-is/tree/v5.1.0-rc2
>>>>>>
>>>>>>
>>>>>> [ ]  Stable - go ahead and release
>>>>>> [ ]  Broken - do not release (explain why)
>>>>>>
>>>>>> Thanks and Regards,
>>>>>> WSO2 Identity Server Team.
>>>>>>
>>>>>> --
>>>>>> Hasintha Indrajee
>>>>>> Software Engineer
>>>>>> WSO2, Inc.
>>>>>> Mobile:+94 771892453
>>>>>>
>>>>>>
>>>>>> ___
>>>>>> Dev mailing list
>>>>>> Dev@wso2.org
>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Gayan Gunawardana
>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>> Email: ga...@wso2.com
>>>>> Mobile: +94 (71) 8020933
>>>>>
>>>>>

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC2

2015-12-21 Thread Hasintha Indrajee

Hi Prabath,

It's available now. Can you please check.

On Mon, Dec 21, 2015 at 10:16 PM, Prabath Siriwardana <prab...@wso2.com>
wrote:

>
>
> On Mon, Dec 21, 2015 at 4:59 AM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi Devs,
>>
>> This is the second release candidate of WSO2 Identity Server 5.1.0.
>>
>> This release fixes the following issues:
>> https://wso2.org/jira/issues/?filter=12586
>>
>> Please download, test and vote.
>>
>> Source & binary distribution files:
>> https://github.com/wso2/product-is/releases/tag/v5.1.0-rc2
>>
>
> Returns 404...
>
> Thanks & regards,
> -Prabath
>
>
>>
>> Maven staging repo:
>> http://maven.wso2.org/nexus/content/repositories/orgwso2is-218/
>>
>> The tag to be voted upon:
>> https://github.com/wso2/product-is/tree/v5.1.0-rc2
>>
>>
>> [ ]  Stable - go ahead and release
>> [ ]  Broken - do not release (explain why)
>>
>> Thanks and Regards,
>> WSO2 Identity Server Team.
>>
>> --
>> Hasintha Indrajee
>> Software Engineer
>> WSO2, Inc.
>> Mobile:+94 771892453
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950
>
> http://blog.facilelogin.com
> http://blog.api-security.org
>



-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC2

2015-12-21 Thread Hasintha Indrajee

Hi Devs,

This is the second release candidate of WSO2 Identity Server 5.1.0.

This release fixes the following issues:
https://wso2.org/jira/issues/?filter=12586

Please download, test and vote.

Source & binary distribution files:
https://github.com/wso2/product-is/releases/tag/v5.1.0-rc2

Maven staging repo:
http://maven.wso2.org/nexus/content/repositories/orgwso2is-218/

The tag to be voted upon:
https://github.com/wso2/product-is/tree/v5.1.0-rc2


[ ]  Stable - go ahead and release
[ ]  Broken - do not release (explain why)

Thanks and Regards,
WSO2 Identity Server Team.

-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC1

2015-12-20 Thread Hasintha Indrajee

Hi all,

We are cancelling the vote due to the issue raised in [1] and will start a
new vote for Identity Server 5.1.0- RC2 shortly.

[1] https://wso2.org/jira/browse/IDENTITY-4241

On Mon, Dec 21, 2015 at 3:13 AM, Malithi Edirisinghe <malit...@wso2.com>
wrote:

> Hi Devs,
>
> I tested basic SP initiated and IdP initiated SAML SSO flows with signing
> and encryption enabled in a clustered setup. Didn't encounter with any
> issues.
>
> [x] Stable - go ahead and release.
>
> Thanks,
> Malithi.
>
> On Sun, Dec 20, 2015 at 12:47 PM, Godwin Shrimal <god...@wso2.com> wrote:
>
>> Hi Devs,
>>
>> I tested major functionalities in XACML and PassiveSTS. No issues
>> encountered.
>>
>> [x] Stable - go ahead and release.
>>
>>
>> Thanks
>> Godwin
>>
>>
>>
>>
>> On Sun, Dec 20, 2015 at 8:27 PM, Damith Senanayake <dami...@wso2.com>
>> wrote:
>>
>>> Hi Devs,
>>>
>>> I tested the major functionalities of user management and user core.
>>>
>>> 1. creating/deleting/updating profiles of users
>>> 2. secondary user stores, addition and user operations of them
>>> 3. Tenant creation and basic user and user store operations of them.
>>>
>>> my vote is as follows :
>>>
>>> [x] - Stable, Go ahead and release.
>>>
>>> On Sun, Dec 20, 2015 at 7:06 AM, Harsha Thirimanna <hars...@wso2.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I tested following functionalities
>>>>
>>>> * Workflow
>>>> Basic operations with embeded BPS
>>>> Same operations with external BPS
>>>> * XACML
>>>> Policy creation
>>>> Policy Publish
>>>> Try out request
>>>> Policy deployment in file
>>>> Policy Cache
>>>> Decision Cache
>>>>
>>>>
>>>> So here is my vote.
>>>> [x] -Stable - go ahead and release
>>>>
>>>> thanks,
>>>>
>>>>
>>>>
>>>> *Harsha Thirimanna*
>>>> Senior Software Engineer; WSO2, Inc.; http://wso2.com
>>>> * <http://www.apache.org/>*
>>>> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 *
>>>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>*
>>>> *harshathirimannlinked-in: **http:
>>>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>*
>>>>
>>>> *Lean . Enterprise . Middleware*
>>>>
>>>>
>>>> On Fri, Dec 18, 2015 at 12:44 PM, Hasintha Indrajee <hasin...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi Devs,
>>>>>
>>>>> This is the first release candidate of WSO2 Identity Server 5.1.0.
>>>>>
>>>>> This release fixes the following issues:
>>>>> https://wso2.org/jira/issues/?filter=12586
>>>>>
>>>>> Please download, test and vote.
>>>>>
>>>>> Source & binary distribution files:
>>>>> https://github.com/wso2/product-is/releases/tag/v5.1.0-rc1
>>>>>
>>>>> Maven staging repo:
>>>>> http://maven.wso2.org/nexus/content/repositories/orgwso2is-203/
>>>>>
>>>>> The tag to be voted upon:
>>>>> https://github.com/wso2/product-is/tree/v5.1.0-rc1
>>>>>
>>>>>
>>>>> [ ]  Stable - go ahead and release
>>>>> [ ]  Broken - do not release (explain why)
>>>>>
>>>>> Thanks and Regards,
>>>>> WSO2 Identity Server Team.
>>>>>
>>>>> --
>>>>> Hasintha Indrajee
>>>>> Software Engineer
>>>>> WSO2, Inc.
>>>>> Mobile:+94 771892453
>>>>>
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>> ___
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> *-Damith Senanayake-*+94712205272
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> *Godwin Amila Shrimal*
>> Senior Software Engineer
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> mobile: *+94772264165*
>> linkedin: *http://lnkd.in/KUum6D <http://lnkd.in/KUum6D>*
>> twitter: https://twitter.com/godwinamila
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Senior Software Engineer
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [VOTE] Release WSO2 Identity Server 5.1.0 RC1

2015-12-17 Thread Hasintha Indrajee

Hi Devs,

This is the first release candidate of WSO2 Identity Server 5.1.0.

This release fixes the following issues:
https://wso2.org/jira/issues/?filter=12586

Please download, test and vote.

Source & binary distribution files:
https://github.com/wso2/product-is/releases/tag/v5.1.0-rc1

Maven staging repo:
http://maven.wso2.org/nexus/content/repositories/orgwso2is-203/

The tag to be voted upon:
https://github.com/wso2/product-is/tree/v5.1.0-rc1


[ ]  Stable - go ahead and release
[ ]  Broken - do not release (explain why)

Thanks and Regards,
WSO2 Identity Server Team.

-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Missing dependency when migrating ESB to Identity 5.0.0 from 4.5.6

2015-10-30 Thread Hasintha Indrajee

Hi,

Currently we are packing this dependency from one of our product level
features. We can bundle this dependency from required features in our next
patch release. Mean while please provide required pull requests to make
sure your product builds fine. We can do a patch release asap after we get
the required pull requests.

On Thu, Oct 29, 2015 at 9:44 PM, Jagath Sisirakumara Ariyarathne <
jaga...@wso2.com> wrote:

> Hi,
>
> We faced below dependency issue while updating identity version to 5.0.0
> from 4.5.6.
>
> Software being installed: STS Feature 5.0.0
> (org.wso2.carbon.sts.feature.group 5.0.0)
>  Missing requirement: openid4java 1.0.0.wso2v2 (openid4java 1.0.0.wso2v2)
> requires 'package net.sf.ehcache [1.5.0,1.6.0)' but it could not be found
>  Cannot satisfy dependency:
>   From: WSO2 Carbon - Identity Provider 5.0.0
> (org.wso2.carbon.identity.provider 5.0.0)
>   To: package org.openid4java [1.0.0,2.0.0)
>  Cannot satisfy dependency:
>   From: org.wso2.carbon.identity.sts.mgt 5.0.0
> (org.wso2.carbon.identity.sts.mgt 5.0.0)
>   To: package org.wso2.carbon.identity.provider [5.0.0,6.0.0)
>  Cannot satisfy dependency:
>   From: STS Feature 5.0.0 (org.wso2.carbon.sts.feature.group 5.0.0)
>   To: org.wso2.carbon.sts.server.feature.group [5.0.0]
>  Cannot satisfy dependency:
>   From: STS Core Feature 5.0.0 (org.wso2.carbon.sts.server.feature.group
> 5.0.0)
>   To: org.wso2.carbon.identity.sts.mgt [5.0.0]
>
> How can we solve this issue?
>
> Thanks.
> --
> Jagath Ariyarathne
> Technical Lead
> WSO2 Inc.  http://wso2.com/
> Email: jaga...@wso2.com
> Mob  : +94 77 386 7048
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.1.0 Beta Released !

2015-10-30 Thread Hasintha Indrajee

WSO2 Identity Server 5.1.0 Beta Released !
Date: 30th October 2015The WSO2 Identity Server team is pleased to announce
the release of WSO2 Identity Server 5.1.0 Beta. You can download this
distribution from *https://github.com/wso2/product-is/releases/tag/v5.1.0-
<https://github.com/wso2/product-is/releases/tag/v5.1.0-beta>beta*

Following list [1] contains all bug fixes and improvements available
with beta release. We encourage you to report issues, improvements and
feature requests regarding WSO2 Identity Server through the public WSO2
Identity Server JIRA <https://wso2.org/jira/browse/IDENTITY>

~ The WSO2 Identity Server Team ~

[1] Release Notes - WSO2 Identity Server - Version 5.1.0-Beta

Bug

   - [IDENTITY-3530 <https://wso2.org/jira/browse/IDENTITY-3530>] - When
   try to change the password without providing current password exception get
   print in the console
   - [IDENTITY-3698 <https://wso2.org/jira/browse/IDENTITY-3698>] - Cannot
   suspend a user deletion without claiming the record
   - [IDENTITY-3700 <https://wso2.org/jira/browse/IDENTITY-3700>] -
   [IS510][Cluster][Load/Long][SAML] NPE -
   org.apache.catalina.core.StandardWrapperValve
   - [IDENTITY-3759 <https://wso2.org/jira/browse/IDENTITY-3759>] - Can't
   assign admin role to users
   - [IDENTITY-3810 <https://wso2.org/jira/browse/IDENTITY-3810>] - Disable
   secondary user store allows disabling for the user created at same user
   store
   - [IDENTITY-3899 <https://wso2.org/jira/browse/IDENTITY-3899>] - SAML >
   SAML federation in Tenant mode - NPE thrown when signing out from
   Travelocity
   - [IDENTITY-3909 <https://wso2.org/jira/browse/IDENTITY-3909>] - Unique
   constraint violation error while storing session data when performing
   concurrent OAuth authorization
   - [IDENTITY-3910 <https://wso2.org/jira/browse/IDENTITY-3910>] -
   inconsistent error messages when locked account password reset and Account
   creation
   - [IDENTITY-3913 <https://wso2.org/jira/browse/IDENTITY-3913>] - Cannot
   edit service provider's name
   - [IDENTITY-3915 <https://wso2.org/jira/browse/IDENTITY-3915>] -
   OperationCleanUpService not working in MySQL
   - [IDENTITY-3917 <https://wso2.org/jira/browse/IDENTITY-3917>] - Error
   was thrown when accessing the External BPS profile engine
   - [IDENTITY-3927 <https://wso2.org/jira/browse/IDENTITY-3927>] - Session
   timeouts not working properly
   - [IDENTITY-3930 <https://wso2.org/jira/browse/IDENTITY-3930>] -
   Connection refuse error was thrown when approving the task
   - [IDENTITY-3933 <https://wso2.org/jira/browse/IDENTITY-3933>] -
   [Resident Identity Provider] Some default URLs are not correct
   - [IDENTITY-3934 <https://wso2.org/jira/browse/IDENTITY-3934>] - Dead
   page when you hit cancel in service provider configuration
   - [IDENTITY-3935 <https://wso2.org/jira/browse/IDENTITY-3935>] - [ Bulk
   Import Users] If "Bulk Import Users" option is disabled in secondary user
   store, then this option is not given to the primary user store too - even
   when it's enabled
   - [IDENTITY-3938 <https://wso2.org/jira/browse/IDENTITY-3938>] -
   [IS510][OAuth][Oracle] OAuth Token Validation failed due to ORA-00933
   - [IDENTITY-3939 <https://wso2.org/jira/browse/IDENTITY-3939>] -
   In-progress tasks are not showing
   - [IDENTITY-3942 <https://wso2.org/jira/browse/IDENTITY-3942>] -
   Unapproved Roles & users are showing when do a specific search
   - [IDENTITY-3946 <https://wso2.org/jira/browse/IDENTITY-3946>] - Cannot
   Register SAML as Identitiy Provider
   - [IDENTITY-3949 <https://wso2.org/jira/browse/IDENTITY-3949>] - Bulk
   Import Users does not work for secondary user stores - even after enabling
   IsBulkImportSupported option
   - [IDENTITY-3953 <https://wso2.org/jira/browse/IDENTITY-3953>] -
   getChallengeQuestionsOfUser in UserIdentityManagementAdminService not
   giving the challenge questions when JDBCIdentityDataStore is used
   - [IDENTITY-3957 <https://wso2.org/jira/browse/IDENTITY-3957>] -
   Travelocity sample in 5.1.0 pack cannot not be invoked. Give the below
   error.
   - [IDENTITY-3960 <https://wso2.org/jira/browse/IDENTITY-3960>] - Issues
   in access token created without scope value
   - [IDENTITY-3964 <https://wso2.org/jira/browse/IDENTITY-3964>] - Invalid
   access token when invoke api for client_credentials grant_type, and
   access_token created without scope

Patch

   - [IDENTITY-3431 <https://wso2.org/jira/browse/IDENTITY-3431>] - Social
   Account Association does not work properly for tenant users.
   - [IDENTITY-3903 <https://wso2.org/jira/browse/IDENTITY-3903>] - URL
   Decode on SSO request didn't work properly


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 Identity Server 5.1.0 Alpha2 Released !!

2015-10-23 Thread Hasintha Indrajee

ties are outdated in identity.xml those must be removed
   from that file.
   - [IDENTITY-2596 <https://wso2.org/jira/browse/IDENTITY-2596>] -
   SAML2SSOManager is typed in application-authentication.xml
   - [IDENTITY-2652 <https://wso2.org/jira/browse/IDENTITY-2652>] - TODO
   list for CARBON-14744
   - [IDENTITY-2669 <https://wso2.org/jira/browse/IDENTITY-2669>] -
   Printing Realm Cache log repeated manner
   - [IDENTITY-2872 <https://wso2.org/jira/browse/IDENTITY-2872>] -
   Parameter "AssertionConsumerServiceURL" should be added to
   "authenticators.xml"
   - [IDENTITY-2967 <https://wso2.org/jira/browse/IDENTITY-2967>] - Test IS
   5.1.0 with WebContextRoot and ProxyContextPath
   - [IDENTITY-3250 <https://wso2.org/jira/browse/IDENTITY-3250>] - IS
   should adjust own Google authenticator according to the latest Google
   migration from OpenID2 to OpenIDConnect
   - [IDENTITY-3450 <https://wso2.org/jira/browse/IDENTITY-3450>] - User
   Management operations take lot of time when the user base is large
   - [IDENTITY-3534 <https://wso2.org/jira/browse/IDENTITY-3534>] - Need to
   do performance benchmarks for all IS features
   - [IDENTITY-3544 <https://wso2.org/jira/browse/IDENTITY-3544>] -
   [Migration] Migration from IS 5.0.0 SP01 to IS 5.1.0
   - [IDENTITY-3574 <https://wso2.org/jira/browse/IDENTITY-3574>] - Need to
   update the slf4j version range on waffle and oltu orbit bundle
   - [IDENTITY-3599 <https://wso2.org/jira/browse/IDENTITY-3599>] - Create
   oltu-1.0.0 orbit bundle
   - [IDENTITY-3600 <https://wso2.org/jira/browse/IDENTITY-3600>] - Create
   openid4java-1.0.0 orbit bundle
   - [IDENTITY-3634 <https://wso2.org/jira/browse/IDENTITY-3634>] - Yahoo!
   authenticator still uses OpenID - should be migrated to OAuth 2.0
   - [IDENTITY-3665 <https://wso2.org/jira/browse/IDENTITY-3665>] -
   [Oauth2] Issue in custom grant type access token generation
   - [IDENTITY-3811 <https://wso2.org/jira/browse/IDENTITY-3811>] - Create
   IDP_METADATA and SP_METADATA tables
   - [IDENTITY-3822 <https://wso2.org/jira/browse/IDENTITY-3822>] - Pack
   Mutual SSL Authenticator by default
   - [IDENTITY-3826 <https://wso2.org/jira/browse/IDENTITY-3826>] - Add a
   feature to pack sso agent from carbon-identity
   - [IDENTITY-3856 <https://wso2.org/jira/browse/IDENTITY-3856>] -
   Identity Management + Workflow use case should break
   - [IDENTITY-3861 <https://wso2.org/jira/browse/IDENTITY-3861>] -
   getSafeText() is still used in many places
   - [IDENTITY-3881 <https://wso2.org/jira/browse/IDENTITY-3881>] -
   Changing Cleanup Task Configurations

Wish

   - [IDENTITY-3732 <https://wso2.org/jira/browse/IDENTITY-3732>] - Changes
   to the Associated User Accounts UI

Sub-task

   - [IDENTITY-2057 <https://wso2.org/jira/browse/IDENTITY-2057>] - Review
   identity mgt related claims in claim-config.xml
   - [IDENTITY-2197 <https://wso2.org/jira/browse/IDENTITY-2197>] -
   EntitlementService is required managed permission
   - [IDENTITY-2686 <https://wso2.org/jira/browse/IDENTITY-2686>] - Need to
   write a DB based Security Policy Deployer for STS
   - [IDENTITY-2969 <https://wso2.org/jira/browse/IDENTITY-2969>] -
   Authentication endpoint doesn't work when Proxy Context Path is set in WSO2
   IS 5.0.0
   - [IDENTITY-3074 <https://wso2.org/jira/browse/IDENTITY-3074>] - User
   consent page url can not be configure.. although we can change login page
   url
   - [IDENTITY-3175 <https://wso2.org/jira/browse/IDENTITY-3175>] - Make
   confirmation code invalidation (after one use) optional in password reset
   with email flow
   - [IDENTITY-3521 <https://wso2.org/jira/browse/IDENTITY-3521>] - P2
   Profile for workflow features
   - [IDENTITY-3552 <https://wso2.org/jira/browse/IDENTITY-3552>] - Remove
   deleted workflow request in IS from BPS as well
   - [IDENTITY-3553 <https://wso2.org/jira/browse/IDENTITY-3553>] -
   Documentation for Workflow
   - [IDENTITY-3558 <https://wso2.org/jira/browse/IDENTITY-3558>] - Ability
   to enable/disable workflow triggering globally
   - [IDENTITY-3568 <https://wso2.org/jira/browse/IDENTITY-3568>] - Final
   Workflow code review before 5.1.0-Beta
   - [IDENTITY-3584 <https://wso2.org/jira/browse/IDENTITY-3584>] - SAML2
   Digest algorithm must be configurabled in Default Response/Assertion
   Builders
   - [IDENTITY-3589 <https://wso2.org/jira/browse/IDENTITY-3589>] -
   Duplicate entry for key 'CON_APP_KEY'
   - [IDENTITY-3593 <https://wso2.org/jira/browse/IDENTITY-3593>] - Enable
   embedded workflow engine out-of-the-box - and have a way to disable it in a
   production setup if its not required.
   - [IDENTITY-3597 <https://wso2.org/jira/browse/IDENTITY-3597>] -
   Creating 'Workflow' domain to create per workflow role
   - [IDENTITY-3640 <https://wso2.org/jira/browse/IDENTITY-3640>] -
   Decouple WF Framework from all the templates and workflow implementations.
   - [IDENTITY-3641 <https://wso2.org/jira/browse/IDENTITY-3641>] - Prepare
   Generic UI for Workflow framework
   - [IDENTITY-3642 <https://wso2.org/jira/browse/IDENTITY-3642>] - More
   flexible Template and WorkflowImpl metadata holder.
   - [IDENTITY-3643 <https://wso2.org/jira/browse/IDENTITY-3643>] -
   Re-Factor Bean/DTO usage within this whole feature and register service
   class as OSGi.
   - [IDENTITY-3644 <https://wso2.org/jira/browse/IDENTITY-3644>] -
   Creating seperate OSGi Bundle for template and workflowimpl
   - [IDENTITY-3645 <https://wso2.org/jira/browse/IDENTITY-3645>] -
   Workflow Request Delete Listener
   - [IDENTITY-3668 <https://wso2.org/jira/browse/IDENTITY-3668>] - Change
   Test Cases for this refactoring
   - [IDENTITY-3747 <https://wso2.org/jira/browse/IDENTITY-3747>] - Create
   indices for the user database operations in user core database scripts
   - [IDENTITY-3827 <https://wso2.org/jira/browse/IDENTITY-3827>] -
   Database access from ApplicationDAOImpl needs to be optimized to minimize
   access operations
   - [IDENTITY-3828 <https://wso2.org/jira/browse/IDENTITY-3828>] -
   WorkflowDAO database queries occur multiple times for single user delete
   operation
   - [IDENTITY-3829 <https://wso2.org/jira/browse/IDENTITY-3829>] - [UX]
   Create markups for new IS login and register pages


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Enabling security with user name token

2015-10-16 Thread Hasintha Indrajee

Hi Rajith,

Ideally even if you do not add authorization headers (xml), it should work.
Ie POX handler converts basicAuth headers to xml security headers. In the
current master branch of carbon-identity, this works as expected.

On Fri, Oct 16, 2015 at 10:08 AM, Rajith Vitharana <raji...@wso2.com> wrote:

> Hi Hasintha,
>
> I was able to resolve the error with help of ESB team, There was an error
> in our deployment flow as well. How ever when we use Soap UI, it still
> doesn't send the security headers itself, where as we have to manually add
> the security header to the request
>
> This was working fine with earlier ESB versions (4.8.0 where security was
> enabled via security management UI) the same flow doesn't work in ESB
> 4.9.0. In DSS as well, this is the case now (have to add authorization
> header manually).
>
> Soap UI version I'm using is 5.0.0
>
> Thanks,
>
> On Thu, Oct 15, 2015 at 2:45 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Are you calling the service with security headers in the request it self
>> ?.
>>
>> On Wed, Oct 14, 2015 at 8:37 PM, Rajith Vitharana <raji...@wso2.com>
>> wrote:
>>
>>> Hi Hasintha,
>>>
>>> We are using carbon-identity 4.5.6
>>>
>>> @Firzan we are using [1] as the policy file which contains the element
>>> you mentioned above.
>>>
>>> [1] -
>>> http://svn.wso2.org/repos/wso2/people/isuruu/qos/synapse-configs/default/local-entries/p1.xml
>>>
>>> Thanks,
>>>
>>> On Wed, Oct 14, 2015 at 5:12 PM, Hasintha Indrajee <hasin...@wso2.com>
>>> wrote:
>>>
>>>> Can you please tell me the carbon-identity version you are using ?
>>>>
>>>> On Wed, Oct 14, 2015 at 3:04 PM, Rajith Vitharana <raji...@wso2.com>
>>>> wrote:
>>>>
>>>>> + Asela
>>>>>
>>>>> On Wed, Oct 14, 2015 at 1:13 PM, Rajith Vitharana <raji...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have enabled security in DSS service specifying the policy file
>>>>>> (roles included in the policy). But when invoking the service with 
>>>>>> username
>>>>>> password, it throws below exception.
>>>>>>
>>>>>> java.lang.ClassCastException:
>>>>>> org.apache.axiom.om.impl.dom.ElementImpl cannot be cast to
>>>>>> org.apache.axiom.soap.SOAPHeaderBlock
>>>>>> at
>>>>>> org.wso2.carbon.security.pox.POXSecurityHandler.isSOAPWithoutSecHeader(POXSecurityHandler.java:362)
>>>>>> at
>>>>>> org.wso2.carbon.security.pox.POXSecurityHandler.invoke(POXSecurityHandler.java:102)
>>>>>> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>>>>>> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>>>>>> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
>>>>>> at org.apache.axis2.engine.AxisEngine.sendFault(AxisEngine.java:515)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.AxisServlet.handleFault(AxisServlet.java:433)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.AxisServlet.processAxisFault(AxisServlet.java:398)
>>>>>> at
>>>>>> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:188)
>>>>>> at
>>>>>> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>>>>>> at
>>>>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>>>>>> at
>>>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>>>>>> at
>>>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>>>>>> at
>>>>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>>>>>> at
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>>>>>> at
>>>>>> org.apache.catalina.

Re: [Dev] Enabling security with user name token

2015-10-15 Thread Hasintha Indrajee

Are you calling the service with security headers in the request it self ?.

On Wed, Oct 14, 2015 at 8:37 PM, Rajith Vitharana <raji...@wso2.com> wrote:

> Hi Hasintha,
>
> We are using carbon-identity 4.5.6
>
> @Firzan we are using [1] as the policy file which contains the element you
> mentioned above.
>
> [1] -
> http://svn.wso2.org/repos/wso2/people/isuruu/qos/synapse-configs/default/local-entries/p1.xml
>
> Thanks,
>
> On Wed, Oct 14, 2015 at 5:12 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Can you please tell me the carbon-identity version you are using ?
>>
>> On Wed, Oct 14, 2015 at 3:04 PM, Rajith Vitharana <raji...@wso2.com>
>> wrote:
>>
>>> + Asela
>>>
>>> On Wed, Oct 14, 2015 at 1:13 PM, Rajith Vitharana <raji...@wso2.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have enabled security in DSS service specifying the policy file
>>>> (roles included in the policy). But when invoking the service with username
>>>> password, it throws below exception.
>>>>
>>>> java.lang.ClassCastException: org.apache.axiom.om.impl.dom.ElementImpl
>>>> cannot be cast to org.apache.axiom.soap.SOAPHeaderBlock
>>>> at
>>>> org.wso2.carbon.security.pox.POXSecurityHandler.isSOAPWithoutSecHeader(POXSecurityHandler.java:362)
>>>> at
>>>> org.wso2.carbon.security.pox.POXSecurityHandler.invoke(POXSecurityHandler.java:102)
>>>> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>>>> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>>>> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
>>>> at org.apache.axis2.engine.AxisEngine.sendFault(AxisEngine.java:515)
>>>> at
>>>> org.apache.axis2.transport.http.AxisServlet.handleFault(AxisServlet.java:433)
>>>> at
>>>> org.apache.axis2.transport.http.AxisServlet.processAxisFault(AxisServlet.java:398)
>>>> at
>>>> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:188)
>>>> at
>>>> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>>>> at
>>>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>>>> at
>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>>>> at
>>>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>> at
>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>> at
>>>> org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>> at
>>>> org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>> at
>>>> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>&g

Re: [Dev] Enabling security with user name token

2015-10-14 Thread Hasintha Indrajee

nValve.java:159)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>> at
>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:744)
>>
>> Do we need to do anything else?
>>
>> Thanks,
>>
>> --
>> Rajith Vitharana
>>
>> Software Engineer,
>> WSO2 Inc. : wso2.com
>> Mobile : +94715883223
>> Blog : http://lankavitharana.blogspot.com/
>>
>
>
>
> --
> Rajith Vitharana
>
> Software Engineer,
> WSO2 Inc. : wso2.com
> Mobile : +94715883223
> Blog : http://lankavitharana.blogspot.com/
>



-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Identity User management

2015-10-13 Thread Hasintha Indrajee

Hi Rajith

You need to install org.wso2.carbon.identity.core.ui.feature in order to
get this. Once install you will find it under main menu.


org.wso2.carbon.identity.core.ui.feature.group
${carbon.identity.version}


On Tue, Oct 13, 2015 at 11:51 AM, Rajith Vitharana <raji...@wso2.com> wrote:

> Hi ISTeam,
>
> We were using commons user management earlier, and migrated to identity
> user management. But now we can't see usermanagement section in management
> console. We have used below feature
>
> 
>
> org.wso2.carbon.user.mgt.feature.group
> 4.5.6
> 
> Do we need to do anything else?
>
> Thanks,
>
> --
> Rajith Vitharana
>
> Software Engineer,
> WSO2 Inc. : wso2.com
> Mobile : +94715883223
> Blog : http://lankavitharana.blogspot.com/
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV][IS] Getting an error when try to rtriw a Oauth token from IS server.

We have the same logic in few places to extract authorization header (Not
only in Oauth).

On Wed, Oct 7, 2015 at 10:59 PM, Malithi Edirisinghe <malit...@wso2.com>
wrote:

> Hi Hasintha,
>
> I don't see any usecase for using multiple authorization header values
> here. This is used for OAuth Client Authentication [1]. There we don't have
> multiple client credentials right.
>
> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>
> On Wed, Oct 7, 2015 at 10:21 PM, Hasintha Indrajee <hasin...@wso2.com>
> wrote:
>
>> Hi Malithi,
>>
>> What happens if we include multiple authorization header values in the
>> same header ? As [1] says we can use comma separated values for the same
>> header values. Is there a valid use case where we can use two authorization
>> header values ?. If so we need to handle this within the logic you stated.
>>
>> [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
>>
>> On Wed, Oct 7, 2015 at 9:13 PM, Sachith Punchihewa <sachi...@wso2.com>
>> wrote:
>>
>>> @Malithi,
>>> Thank you very much for the detailed explanation.Yes when i was
>>> debugging the method extract* "Authorization:Basic xx" -H
>>> "Content-Type: application/x-www-form-urlencoded"* and then split
>>> it.thanks again for the explanation.
>>>
>>> Cheers.
>>>
>>> Kamidu Sachith Punchihewa
>>> *Software Engineer*
>>> WSO2, Inc.
>>> lean . enterprise . middleware
>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194>
>>>
>>>
>>> Disclaimer: This communication may contain privileged or other
>>> confidential information and is intended exclusively for the addressee/s.
>>> If you are not the intended recipient/s, or believe that you may have
>>> received this communication in error, please reply to the sender indicating
>>> that fact and delete the copy you received and in addition, you should not
>>> print, copy, retransmit, disseminate, or otherwise use the information
>>> contained in this communication. Internet communications cannot be
>>> guaranteed to be timely, secure, error or virus-free. The sender does not
>>> accept liability for any errors or omissions.
>>>
>>> On Wed, Oct 7, 2015 at 8:59 PM, Malithi Edirisinghe <malit...@wso2.com>
>>> wrote:
>>>
>>>> Hi Sachith,
>>>>
>>>> Here EndpointUtil.extractCredentialsFromAuthzHeader() method expects
>>>> the value of the 'Authorization' header. Please refer [1]. Here the value
>>>> of the 'Authorization' header is passed to the method which is directly
>>>> taken from the servlet request.
>>>> And when decoding the header it expects the value to be in
>>>> ' ' format.
>>>>
>>>> So actually what's wrong here is the curl you have posted. It should be
>>>> like below.
>>>>
>>>> curl -k -d "grant_type=password=admin=admin" -H
>>>> "Authorization:Basic xx" -H "Content-Type:
>>>> application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
>>>>
>>>> So this adds the two headers properly.
>>>> In your case the value of the 'Authorization' header is 'Basic
>>>> xx, Content-Type:
>>>> application/x-www-form-urlencoded' which is not in the expected format.
>>>> That's why you see the error 'Error decoding authorization header.
>>>> Space delimited \" \" format violated.'
>>>>
>>>> Further, if you try out the curl command that Pushpalanka has posted
>>>> you will note that it works.
>>>>
>>>> [1]
>>>> https://github.com/wso2/carbon-identity/blob/master/components/oauth/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java#L86
>>>>
>>>> Thanks,
>>>> Malithi.
>>>>
>>>>
>>>> On Wed, Oct 7, 2015 at 5:57 PM, Sachith Punchihewa <sachi...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> @Pushpalanka I used that then it gives me an error indicating "Client
>>>>> Authentication failed".
>>>>>
>>>>> This issues was not there in the IS 5.0.0. I did a debugging and found
>>>>> the issue. I have send a pull request regarding thi

Re: [Dev] [Kernel 4.4.2 Release] CARBON-15450 Updating OpenSAML version to 2.6.4

Hi,

We found some issues with integrating new version of opensaml. Therefore we
downgraded opensaml version back to 2.4.1. Therefore we don't need this to
be fixed in 4.4.2 release.

On Tue, Oct 6, 2015 at 11:01 AM, Maduranga Siriwardena <madura...@wso2.com>
wrote:

> Hi Amaya,
>
> We have meant to create the new opensaml orbit bundle in [1]. Since we
> have already done that and we bundle and use the new bundle, it is not a
> blocker for our product release. Its better if you can resolve [2]. But as
> I understand, it is not a blocker for our product release.
>
> Thanks,
> Maduranga
>
> [1] https://wso2.org/jira/browse/CARBON-15450
> [2] https://wso2.org/jira/browse/CARBON-15455
>
> On Tue, Oct 6, 2015 at 10:35 AM, Manuri Amaya Perera <manu...@wso2.com>
> wrote:
>
>> Hi Maduranga,
>>
>> Is [1] a blocker for IS 5.1.0 ? As I understand if we are to resolve [1]
>> in kernel 4.4.2, we will have to fix [2] too.
>>
>> [1] https://wso2.org/jira/browse/CARBON-15450
>> [2] https://wso2.org/jira/browse/CARBON-15455
>>
>> Thank you
>>
>> On Tue, Oct 6, 2015 at 10:27 AM, Maduranga Siriwardena <
>> madura...@wso2.com> wrote:
>>
>>> Hi Amaya,
>>>
>>> You can resolve [1] since we have already released an orbit bundle for
>>> opensaml 2.6.4. For [2] you have to create a new orbit for apache velocity,
>>> since we do not export velocity packages from new opensaml orbit bundle.
>>>
>>> Thank you,
>>> Maduranga.
>>>
>>> [1] https://wso2.org/jira/browse/CARBON-15450
>>> [2] https://wso2.org/jira/browse/CARBON-15455
>>>
>>> On Tue, Oct 6, 2015 at 10:13 AM, Manuri Amaya Perera <manu...@wso2.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Resolving [1] which has been marked as highest priority requires
>>>> creation of new bundles and changes in existing bundles[2].
>>>>
>>>> Could you please let us know whether [1] is a blocker for IS 5.1.0 and
>>>> if so it needs to be fixed in kernel 4.4.2.
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> [1] https://wso2.org/jira/browse/CARBON-15450
>>>> [2] https://wso2.org/jira/browse/CARBON-15455
>>>>
>>>> --
>>>>
>>>> *Manuri Amaya Perera*
>>>>
>>>> *Software Engineer*
>>>>
>>>> *WSO2 Inc.*
>>>>
>>>> *Blog: http://manuriamayaperera.blogspot.com
>>>> <http://manuriamayaperera.blogspot.com>*
>>>>
>>>
>>>
>>>
>>> --
>>> Maduranga Siriwardena
>>> Software Engineer
>>> WSO2 Inc.
>>>
>>> email: madura...@wso2.com
>>> mobile: +94718990591
>>>
>>
>>
>>
>> --
>>
>> *Manuri Amaya Perera*
>>
>> *Software Engineer*
>>
>> *WSO2 Inc.*
>>
>> *Blog: http://manuriamayaperera.blogspot.com
>> <http://manuriamayaperera.blogspot.com>*
>>
>
>
>
> --
> Maduranga Siriwardena
> Software Engineer
> WSO2 Inc.
>
> email: madura...@wso2.com
> mobile: +94718990591
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [DEV][IS] Getting an error when try to rtriw a Oauth token from IS server.

 below command format and check,
>>>>
>>>> curl --user Client_Id:Client_Secret  -k -d
>>>> "grant_type=password=admin=admin" -H
>>>> "Content-Type:application/x-www-form-urlencoded"
>>>> https://localhost:9443/oauth2/token
>>>>
>>>> Thanks,
>>>> Pushpalanka.
>>>> --
>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons).
>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd;  wso2.com/
>>>> Mobile: +94779716248
>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn:
>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
>>>>
>>>>
>>>> On Wed, Oct 7, 2015 at 5:40 PM, Sachith Punchihewa <sachi...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> I am currently using a locally build of IS Server from the latest
>>>>> code.When i try to get a OAuth Access token via a curl execution i am
>>>>> getting an error.
>>>>>
>>>>> Curl Format used :
>>>>>
>>>>> *curl-k-d***
>>>>>> *"grant_type=password=userNamepasswork&=**passWord*
>>>>>> *=carbon.super"-H***
>>>>>> *"Authorization:BasicBase 64 encoded
>>>>>> clientID:clientSecret,Content-Type:***
>>>>>> *application/x-www-form-urlencoded"https://localhost:9443/oauth2/token
>>>>>> <https://localhost:9443/oauth2/token>*
>>>>>
>>>>>
>>>>> Actual command :
>>>>>
>>>>> curl -k -d
>>>>>> "grant_type=password=x=x=carbon.super"
>>>>>> -H "Authorization: Basic xx,
>>>>>> Content-Type: application/x-www-form-urlencoded"
>>>>>> https://localhost:9443/oauth2/token
>>>>>
>>>>>
>>>>> Error :
>>>>>
>>>>> "Error decoding authorization header. Space delimited \"
>>>>>> \" format violated."
>>>>>
>>>>>
>>>>>
>>>>> Is there is a issue with the curl command i am using here ?
>>>>>
>>>>> Thanks and Regards.
>>>>> Kamidu Sachith Punchihewa
>>>>> *Software Engineer*
>>>>> WSO2, Inc.
>>>>> lean . enterprise . middleware
>>>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194>
>>>>>
>>>>>
>>>>> Disclaimer: This communication may contain privileged or other
>>>>> confidential information and is intended exclusively for the addressee/s.
>>>>> If you are not the intended recipient/s, or believe that you may have
>>>>> received this communication in error, please reply to the sender 
>>>>> indicating
>>>>> that fact and delete the copy you received and in addition, you should not
>>>>> print, copy, retransmit, disseminate, or otherwise use the information
>>>>> contained in this communication. Internet communications cannot be
>>>>> guaranteed to be timely, secure, error or virus-free. The sender does not
>>>>> accept liability for any errors or omissions.
>>>>>
>>>>> ___
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Senior Software Engineer
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Hasintha Indrajee
Software Engineer
WSO2, Inc.
Mobile:+94 771892453
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] [Carbon-jira] [jira] (IDENTITY-3767) OAuthClientException when retrieving an OAuth Token